From 80a552d28de2b5dde86afb596239fce3041e06a4 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 6 Feb 2022 14:26:55 +0100
Subject: [PATCH] refactor: lsass dump filename IOC pattern

---
 rules/windows/file_event/file_event_lsass_dump.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rules/windows/file_event/file_event_lsass_dump.yml b/rules/windows/file_event/file_event_lsass_dump.yml
index f8e747bbe..bd5639175 100644
--- a/rules/windows/file_event/file_event_lsass_dump.yml
+++ b/rules/windows/file_event/file_event_lsass_dump.yml
@@ -10,6 +10,7 @@ references:
     - https://www.google.com/search?q=procdump+lsass
     - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
 date: 2021/11/15
+modified: 2022/02/06
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -28,7 +29,11 @@ detection:
             - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
             - '\lsassdump'
             - '\lsassdmp'
-    condition: selection1 or selection2
+    selection3:
+        TargetFilename|contains|all:
+            - '\lsass'
+            - '.dmp'
+    condition: 1 of selection*
 falsepositives:
     - Unknown
 level: high
\ No newline at end of file