fix: FPs with LSASS Access from Non System Account

rules/windows/builtin/win_lsass_access_non_system_account.yml

@@ -3,7 +3,7 @@ id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
 description: Detects potential mimikatz-like tools accessing LSASS from non system account
 status: experimental
 date: 2019/06/20
-modified: 2019/11/10
+modified: 2021/03/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md
@@ -19,6 +19,20 @@ detection:
         EventID:
             - 4663
             - 4656
+        AccessMask|contains:
+            - '0x40'
+            - '0x1400'
+            - '0x1000'
+            - '0x100000'
+            - '0x1410'    # car.2019-04-004
+            - '0x1010'    # car.2019-04-004
+            - '0x1438'    # car.2019-04-004
+            - '0x143a'    # car.2019-04-004
+            - '0x1418'    # car.2019-04-004
+            - '0x1f0fff'
+            - '0x1f1fff'
+            - '0x1f2fff'
+            - '0x1f3fff'
         ObjectType: 'Process'
         ObjectName|endswith: '\lsass.exe'
     filter: