From 1759205930cf0e90a749575e691ea18c2a8779f4 Mon Sep 17 00:00:00 2001
From: Alexander Bolshakov <mycardinalmail@gmail.com>
Date: Fri, 28 Jun 2019 14:43:38 +0300
Subject: [PATCH] Add Windows Minidump file signature

This signature is relevant for process dumps on Windows that could be extracted by various tools. The unencrypted transmission of the dump of a critical system process (for example, lsass.exe) via network would be detected by this rule.
---
 scripts/base/frameworks/files/magic/general.sig | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index 23b1c1d074..6494a2ca54 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -414,3 +414,9 @@ signature file-vim-tmp {
 	file-mime "application/x-vim-tmp", 100
 	file-magic /^b0VIM/
 }
+
+# Windows Minidump
+signature file-windows-minidump {
+    file-mime "application/x-windows-minidump", 50
+    file-magic /^MDMP/
+}