From 811ed59e27ff0b47a7bb5531eb74a3ca8dc59fcf Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 20 Mar 2022 16:18:18 +0100
Subject: [PATCH] fix: FPs with Aurora and THOR

---
 .../windows/process_access/proc_access_win_lsass_memdump.yml  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
index 0f40dfaf8..a0363331b 100755
--- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
 author: Samir Bousseaden, Michael Haag
 date: 2019/04/03
-modified: 2022/02/05
+modified: 2022/03/20
 references:
     - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -25,7 +25,7 @@ detection:
             #- '0x01000'  # Too many false positives
             #- '0x1010'   # Too many false positives
             - '0x1038'
-            - '0x40'
+            # - '0x40'   # Too many false positives
             #- '0x1400'  # Too many false positives
             # - '0x1410' # Too many false positives 
             - '0x1438'