From 7ddc55160596e5b7ee46bd21e7362a7f0bdbc56f Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Tue, 8 Oct 2024 23:04:44 +0200
Subject: [PATCH] Merge PR #5040 from @ruppde - Update `Antivirus Password
 Dumper Detection`

update: Antivirus Password Dumper Detection - Add `DCSync` string to cover MS Defender traffic detections
---
 rules/category/antivirus/av_password_dumper.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/category/antivirus/av_password_dumper.yml b/rules/category/antivirus/av_password_dumper.yml
index 3e8454bdc..0cfb9a8a2 100644
--- a/rules/category/antivirus/av_password_dumper.yml
+++ b/rules/category/antivirus/av_password_dumper.yml
@@ -8,7 +8,7 @@ references:
     - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
 author: Florian Roth (Nextron Systems)
 date: 2018-09-09
-modified: 2024-07-17
+modified: 2024-10-08
 tags:
     - attack.credential-access
     - attack.t1003
@@ -21,6 +21,7 @@ detection:
     selection:
         - Signature|startswith: 'PWS'
         - Signature|contains:
+              - 'DCSync'
               - 'DumpCreds'
               - 'DumpLsass'
               - 'HTool/WCE'