From d5bfce1e366fc42bb7c61eb1793f7f10b32b13b3 Mon Sep 17 00:00:00 2001
From: David ANDRE <elhoim@gmail.com>
Date: Tue, 21 Dec 2021 10:23:23 +0100
Subject: [PATCH] Removed duplicate filter entries.

---
 .../win_susp_system_user_anomaly.yml                 | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_system_user_anomaly.yml b/rules/windows/process_creation/win_susp_system_user_anomaly.yml
index 4a429ff7d..630cb6612 100644
--- a/rules/windows/process_creation/win_susp_system_user_anomaly.yml
+++ b/rules/windows/process_creation/win_susp_system_user_anomaly.yml
@@ -84,15 +84,14 @@ detection:
             - 'dpapi::wwman'        #Mimikatz
             - 'event::clear'        #Mimikatz
             - 'event::drop'     #Mimikatz
+            - 'id::modify'      #Mimikatz
             - 'kerberos::ask'       #Mimikatz
             - 'kerberos::clist'     #Mimikatz
             - 'kerberos::golden'        #Mimikatz
             - 'kerberos::hash'      #Mimikatz
             - 'kerberos::list'      #Mimikatz
-            - 'sekurlsa::tickets'       #Mimikatz
             - 'kerberos::ptc'       #Mimikatz
             - 'kerberos::ptt'       #Mimikatz
-            - 'kerberos::ptt'       #Mimikatz
             - 'kerberos::purge'     #Mimikatz
             - 'kerberos::tgt'       #Mimikatz
             - 'lsadump::backupkeys'     #Mimikatz
@@ -119,7 +118,6 @@ detection:
             - 'misc::efs'       #Mimikatz
             - 'misc::lock'      #Mimikatz
             - 'misc::memssp'        #Mimikatz
-            - 'misc::memssp'        #Mimikatz
             - 'misc::mflt'      #Mimikatz
             - 'misc::ncroutemon'        #Mimikatz
             - 'misc::ngcsign'       #Mimikatz
@@ -176,19 +174,15 @@ detection:
             - 'sekurlsa::kerberos'      #Mimikatz
             - 'sekurlsa::krbtgt'        #Mimikatz
             - 'sekurlsa::livessp'       #Mimikatz
-            - 'sekurlsa::logonpasswords'        #Mimikatz
             - 'sekurlsa::minidump'      #Mimikatz
             - 'sekurlsa::msv'       #Mimikatz
             - 'sekurlsa::process'       #Mimikatz
-            - 'sekurlsa::minidump'      #Mimikatz
             - 'sekurlsa::pth'       #Mimikatz
             - 'sekurlsa::ssp'       #Mimikatz
             - 'sekurlsa::tickets'       #Mimikatz
-            - 'kerberos::list'      #Mimikatz
             - 'sekurlsa::trust'     #Mimikatz
             - 'sekurlsa::tspkg'     #Mimikatz
             - 'sekurlsa::wdigest'       #Mimikatz
-            - 'rpc::server'     #Mimikatz
             - 'service::me'     #Mimikatz
             - 'service::preshutdown'        #Mimikatz
             - 'service::remove'     #Mimikatz
@@ -202,8 +196,6 @@ detection:
             - 'sid::lookup'     #Mimikatz
             - 'sid::modify'     #Mimikatz
             - 'sid::patch'      #Mimikatz
-            - 'id::modify'      #Mimikatz
-            - 'sid::add'        #Mimikatz
             - 'sid::query'      #Mimikatz
             - 'standard::answer'        #Mimikatz
             - 'standard::base64'        #Mimikatz
@@ -227,7 +219,7 @@ detection:
             - 'ts::remote'      #Mimikatz
             - 'ts::sessions'        #Mimikatz
             - 'vault::cred'     #Mimikatz
-            - 'vault::list'
+            - 'vault::list'     #Mimikatz
             - ' p::d '  # Mimikatz 
             - ';iex('  # PowerShell IEX
             - 'MiniDump'  # Process dumping method apart from procdump