From 93faca413e8d212eaa10c85b080fcaa4a0557283 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 15 Oct 2020 17:17:57 -0300
Subject: [PATCH] Update sysmon_lsass_memdump.yml

---
 rules/windows/process_access/sysmon_lsass_memdump.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml
index 778afd9bc..ea72d46cc 100755
--- a/rules/windows/process_access/sysmon_lsass_memdump.yml
+++ b/rules/windows/process_access/sysmon_lsass_memdump.yml
@@ -19,9 +19,9 @@ detection:
     selection:
         TargetImage: 'C:\windows\system32\lsass.exe'
         GrantedAccess: '0x1fffff'
-        CallTrace:
-         - '*dbghelp.dll*'
-         - '*dbgcore.dll*'
+        CallTrace|contains:
+         - 'dbghelp.dll'
+         - 'dbgcore.dll'
     condition: selection
 falsepositives:
     - unknown