From 8fc93d33407b784cd73fae37e77e08e6eaf4ba03 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 22 Nov 2021 15:05:56 +0100
Subject: [PATCH] refactor: generic lsass access filter

---
 .../windows/process_access/win_susp_proc_access_lsass.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml
index d7a531789..0c6128efa 100644
--- a/rules/windows/process_access/win_susp_proc_access_lsass.yml
+++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml
@@ -81,7 +81,13 @@ detection:
             - 'C:\Progra Files (x86)\'
         SourceImage|contains: 
             - 'Antivirus'
-    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5 and not filter6
+    # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.)
+    filter_generic:
+        SourceImage|startswith: 
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+        GrantedAccess: '0x1410'
+    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5 and not filter6 and filter_generic
 fields:
     - User
     - SourceImage