From 46559388e054e1aff3d7b3d8f41ebead2b690b21 Mon Sep 17 00:00:00 2001
From: secDre4mer <61268450+secDre4mer@users.noreply.github.com>
Date: Sat, 2 Mar 2024 02:28:29 +0100
Subject: [PATCH] Merge PR #4750 from @secDre4mer - Fix false positive with
 `Potential Credential Dumping Activity Via LSASS` rule

fix: Potential Credential Dumping Activity Via LSASS - remove legitimate access mask
---
 rules/windows/process_access/proc_access_win_lsass_memdump.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
index 20167f08d..86463e94b 100755
--- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
@@ -11,7 +11,7 @@ references:
     - https://research.splunk.com/endpoint/windows_possible_credential_dumping/
 author: Samir Bousseaden, Michael Haag
 date: 2019/04/03
-modified: 2023/12/13
+modified: 2024/03/02
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -23,7 +23,6 @@ detection:
     selection:
         TargetImage|endswith: '\lsass.exe'
         GrantedAccess|contains:
-            - '0x1000'
             - '0x1038'
             - '0x1438'
             - '0x143a'