From 29dec7dd8ba8df71c65ea83b5054e80fc82d42e3 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 10 Mar 2021 18:51:27 +0100
Subject: [PATCH] fix: FPs with LSASS Access from Non System Account

---
 .../win_lsass_access_non_system_account.yml      | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml
index 55bab5f3b..e566249ab 100644
--- a/rules/windows/builtin/win_lsass_access_non_system_account.yml
+++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml
@@ -3,7 +3,7 @@ id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
 description: Detects potential mimikatz-like tools accessing LSASS from non system account
 status: experimental
 date: 2019/06/20
-modified: 2019/11/10
+modified: 2021/03/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md
@@ -19,6 +19,20 @@ detection:
         EventID:
             - 4663
             - 4656
+        AccessMask|contains:
+            - '0x40'
+            - '0x1400'
+            - '0x1000'
+            - '0x100000'
+            - '0x1410'    # car.2019-04-004
+            - '0x1010'    # car.2019-04-004
+            - '0x1438'    # car.2019-04-004
+            - '0x143a'    # car.2019-04-004
+            - '0x1418'    # car.2019-04-004
+            - '0x1f0fff'
+            - '0x1f1fff'
+            - '0x1f2fff'
+            - '0x1f3fff'
         ObjectType: 'Process'
         ObjectName|endswith: '\lsass.exe'
     filter: