From 1f7e37d2a083209888d13dfd2987b72aff39b09f Mon Sep 17 00:00:00 2001
From: Bhabesh <bhabeshraj678@gmail.com>
Date: Tue, 28 Jun 2022 10:56:18 +0545
Subject: [PATCH] Fixed CallTrace

---
 .../proc_access_win_handlekatz_lsass_access.yml       | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
index 3c496416f..181ec14a3 100644
--- a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
+++ b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
@@ -13,13 +13,12 @@ detection:
     selection:
         TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
         GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
+    
+    call_trace:  # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
+        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+' 
         CallTrace|contains: '|UNKNOWN('
-    filter:
-        CallTrace|contains:
-          - '\KERNEL32.DLL+'
-          - '\KERNELBASE.DLL+'
-          - '\WOW64.DLL+'
-    condition: selection and not filter
+        CallTrace|endswith: ')'
+    condition: selection and call_trace
 falsepositives:
     - Unknown
 level: high