Merge pull request #3190 from phantinuss/master

fix: FP found in testing

rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder
 author: Florian Roth
 date: 2021/11/27
-modified: 2022/04/29
+modified: 2022/07/01
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -65,9 +65,13 @@ detection:
             - '\MBAMInstallerService.exe'
             - '\WebexMTA.exe'
         GrantedAccess: '0x410'
+    filter2:
+        SourceImage|startswith: 'C:\Windows\Temp\'
+        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
+        GrantedAccess: '0x410'
     filter_nextron:
         SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
-        SourceImage|endswith: 
+        SourceImage|endswith:
             - '\thor64.exe'
             - '\thor.exe'
         GrantedAccess: