Update sysmon_lazagne_cred_dump_lsass_access.yml

rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml

@@ -16,7 +16,11 @@ logsource:
 detection:
     selection: 
         TargetImage|endswith: '\lsass.exe'
-        CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*"
+        CallTrace|contains|all: 
+            - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
+            - '|C:\\Windows\\System32\\KERNELBASE.dll+'
+            - '_ctypes.pyd+'
+            - 'python27.dll+'
         GrantedAccess: "0x1FFFFF"
     condition: selection
 level: critical