From 5fa6f749f560cb76bc0f70e81d1bec210087316a Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 4 Dec 2021 19:18:45 +0100
Subject: [PATCH] fix: FPs noticed with Aurora

---
 .../process_access/sysmon_cred_dump_lsass_access.yml       | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
index c4936c79b..29c4cc6cb 100755
--- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml
@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
     oscd.community (update)
 date: 2017/02/16
-modified: 2021/12/02
+modified: 2021/12/04
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -64,7 +64,10 @@ detection:
         SourceImage: 'C:\WINDOWS\system32\svchost.exe'
         GrantedAccess: '0x100000'
     filter7:
-        SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
+        SourceImage: 
+            - 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
+            - 'C:\Windows\syswow64\MsiExec.exe'
+            - 'C:\Windows\System32\msiexec.exe'
         GrantedAccess: 
             - '0x1410'
             - '0x410'