From d90ddc097e0bc63f983f4e96c39f7cf5b2f5dbe6 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Wed, 1 Dec 2021 18:36:38 +0000
Subject: [PATCH] adding additional filter for lsass: ShareName=\\*\IPC$ |
 ShareLocalPath= | RelativeTargetName=lsass | AccessMask=0x2019f

---
 rules/windows/builtin/win_lm_namedpipe.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml
index fb29d1d8e..573eada64 100644
--- a/rules/windows/builtin/win_lm_namedpipe.yml
+++ b/rules/windows/builtin/win_lm_namedpipe.yml
@@ -20,6 +20,7 @@ detection:
       - 'atsvc'
       - 'samr'
       - 'lsarpc'
+      - 'lsass'
       - 'winreg'
       - 'netlogon'
       - 'srvsvc'