From 2e8717d603ce7727240bbcec4d9f36285263052e Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 18 Sep 2022 10:39:56 +0200
Subject: [PATCH 1/2] fix: taskhostw FPs with lsass access

---
 rules/windows/builtin/security/win_susp_lsass_dump_generic.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
index 824d0f1ec..b462d8e29 100644
--- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
@@ -70,6 +70,9 @@ detection:
         ProcessName|startswith: 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions
     filter3:
         ProcessName: 'C:\Windows\CCM\CcmExec.exe'
+    filter4:
+        ProcessName: 'C:\Windows\System32\taskhostw.exe'
+        AccessMask: '0x10'
     condition: 1 of selection_* and not 1 of filter*
 fields:
     - ComputerName

From 34957a784b16dd1ab3be976c3bcd0ff344c9d966 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 18 Sep 2022 10:42:19 +0200
Subject: [PATCH 2/2] fix: modified date update

---
 rules/windows/builtin/security/win_susp_lsass_dump_generic.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
index b462d8e29..0942e28b4 100644
--- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
+++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml
@@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask
 status: experimental
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2022/04/29
+modified: 2022/09/18
 references:
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment