From 2e45a9ca73ba9eda3fa0c6e1a1bd3f387bf9e033 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 31 Jul 2023 10:17:20 +0200
Subject: [PATCH] Update win_security_susp_lsass_dump_generic.yml

---
 .../security/win_security_susp_lsass_dump_generic.yml        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml
index 4c03b4c24..8ce6bc8d2 100644
--- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml
@@ -7,7 +7,7 @@ references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2023/03/23
+modified: 2023/07/31
 tags:
     - attack.credential_access
     - car.2019-04-004
@@ -90,6 +90,9 @@ detection:
         ProcessName|contains: '\AppData\Local\Temp\is-'
         ProcessName|endswith: '\avira_system_speedup.tmp'
         AccessList|contains: '%%4484'
+    filter_snmp:
+        ProcessName: 'C:\Windows\System32\snmp.exe'
+        AccessList|contains: '%%4484'
     condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it