From dec9e6887696e8c38ce0d1fcf7bed768f25bbdb3 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Fri, 21 May 2021 12:38:44 +0200
Subject: [PATCH] Fix falsepositives list

---
 rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
index 6a3c2d1f1..578d232f6 100755
--- a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
+++ b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml
@@ -3,6 +3,7 @@ id: a49fa4d5-11db-418c-8473-1e014a8dd462
 description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
 status: experimental
 date: 2020/10/20
+modified: 2021/05/21
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.credential_access
@@ -20,5 +21,5 @@ detection:
         CallTrace|contains: 'comsvcs.dll'
     condition: selection
 falsepositives:
- - Unknown
+    - Unknown
 level: critical