From 15cd71403a4e61502e2d1564b7b089af0280e4dd Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 1 Jul 2022 11:10:57 +0200
Subject: [PATCH] fix: FP found in testing

---
 ...proc_access_win_susp_proc_access_lsass_susp_source.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
index 46aa8ab36..1acda006f 100644
--- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
+++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder
 author: Florian Roth
 date: 2021/11/27
-modified: 2022/04/29
+modified: 2022/07/01
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -65,9 +65,13 @@ detection:
             - '\MBAMInstallerService.exe'
             - '\WebexMTA.exe'
         GrantedAccess: '0x410'
+    filter2:
+        SourceImage|startswith: 'C:\Windows\Temp\'
+        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
+        GrantedAccess: '0x410'
     filter_nextron:
         SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
-        SourceImage|endswith: 
+        SourceImage|endswith:
             - '\thor64.exe'
             - '\thor.exe'
         GrantedAccess: