security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: FPs with Aurora and THOR

Browse Source
This commit is contained in:
Florian Roth
2022-03-20 16:18:18 +01:00
parent 2f51f8e1d2
commit 811ed59e27
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_access/proc_access_win_lsass_memdump.yml
+2 -2
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
author: Samir Bousseaden, Michael Haag
date: 2019/04/03
modified: 2022/02/05
modified: 2022/03/20
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -25,7 +25,7 @@ detection:
#- '0x01000' # Too many false positives
#- '0x1010' # Too many false positives
- '0x1038'
- '0x40'
# - '0x40' # Too many false positives
#- '0x1400' # Too many false positives
# - '0x1410' # Too many false positives
- '0x1438'