From ebd9973dcbcb15f3ce65f3b6ddc97d785be2a2df Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Fri, 20 Nov 2020 01:32:41 -0300
Subject: [PATCH] Update sysmon_lazagne_cred_dump_lsass_access.yml

---
 .../sysmon_lazagne_cred_dump_lsass_access.yml               | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
index 34b5bf6aa..445496fe0 100644
--- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml
@@ -16,7 +16,11 @@ logsource:
 detection:
     selection: 
         TargetImage|endswith: '\lsass.exe'
-        CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*"
+        CallTrace|contains|all: 
+            - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
+            - '|C:\\Windows\\System32\\KERNELBASE.dll+'
+            - '_ctypes.pyd+'
+            - 'python27.dll+'
         GrantedAccess: "0x1FFFFF"
     condition: selection
 level: critical