From a31acd6571cd262b2d57217cf38be2471fc7a8de Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 17 Nov 2018 09:10:26 +0100
Subject: [PATCH] fix: fixed procdump rule

---
 rules/windows/builtin/win_susp_procdump.yml | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/rules/windows/builtin/win_susp_procdump.yml b/rules/windows/builtin/win_susp_procdump.yml
index 88b29e1da..ab90cccb8 100644
--- a/rules/windows/builtin/win_susp_procdump.yml
+++ b/rules/windows/builtin/win_susp_procdump.yml
@@ -12,14 +12,7 @@ tags:
     - attack.credential_access
     - attack.t1003
 detection:
-    # Procdump on lsass.exe
-    selection1:
-        CommandLine:
-            - "* -ma *"
-    selection2: 
-        CommandLine:
-            - '* lsass.exe*'
-    condition: selection1 and selection2
+    condition: selection and selection1 and selection2
 falsepositives: 
     - Unlikely, because no one should dump an lsass process memory
     - Another tool that uses the command line switches of Procdump
@@ -33,6 +26,12 @@ logsource:
 detection:
     selection:
         EventID: 4688
+    selection1:
+        ProcessCommandLine:
+            - "* -ma *"
+    selection2: 
+        ProcessCommandLine:
+            - '* lsass.exe*'
 ---
 # Sysmon
 logsource:
@@ -41,4 +40,10 @@ logsource:
 detection:
     selection:
         EventID: 1
+    selection1:
+        CommandLine:
+            - "* -ma *"
+    selection2: 
+        CommandLine:
+            - '* lsass.exe*'