From 37ff832fda34b99c58df92b37b79708e0c5883df Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 22 Nov 2021 13:43:20 +0100
Subject: [PATCH] fix: FPs with LSASS access rule

---
 .../win_susp_proc_access_lsass.yml            | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml
index ceedf8fe7..edf6cd800 100644
--- a/rules/windows/process_access/win_susp_proc_access_lsass.yml
+++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml
@@ -49,7 +49,25 @@ detection:
             - 'BA'
             - 'DA'
             - 'FA'
-    condition: selection
+    filter1:
+        SourceImage:
+            - 'C:\WINDOWS\system32\taskmgr.exe'
+    filter2:
+        SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
+        SourceImage|endswith: '\MsMpEng.exe'
+    filter3:
+        SourceImage|startswith: 'C:\Program Files\WindowsApps\'
+        SourceImage|endswith: '\GamingServices.exe'
+        GrantedAccess: '0x1410'
+    filter4:
+        SourceImage|endswith: 
+            - '\PROCEXP64.EXE'
+            - '\PROCEXP.EXE'
+        GrantedAccess: '0x1410'
+    filter5:
+        SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
+        SourceImage|endswith: '\vmtoolsd.exe'
+    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5
 fields:
     - User
     - SourceImage