From 44db55c4fd598f1cb95cfcc68bb544c1cfd396f6 Mon Sep 17 00:00:00 2001
From: stbe <6388196+stbe@users.noreply.github.com>
Date: Thu, 9 Dec 2021 22:55:09 +0100
Subject: [PATCH] Refined definition of defender executable

---
 rules/windows/builtin/security/win_susp_lsass_dump_generic.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
index 5d930fdb3..d19456a86 100644
--- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
@@ -63,7 +63,7 @@ detection:
             - C:\Windows\SysNative\
             - C:\Program Files\
             - C:\Windows\Temp\asgard2-agent\
-            - C:\ProgramData\
+            - C:\ProgramData\Microsoft\Windows Defender\Platform\
     filter2:
         ProcessName|startswith:
             - 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions