security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update credential_access_suspicious_lsass_access_memdump.toml (#1714)

Browse Source
This commit is contained in:
Jonhnathan
2022-01-27 09:28:16 -03:00
committed by GitHub
parent 4ac824192f
commit 1699f50beb
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_suspicious_lsass_access_memdump.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/10/07"
maturity = "production"
updated_date = "2021/10/07"
updated_date = "2022/01/24"
[rule]
author = ["Elastic"]
@@ -27,7 +27,7 @@ process where event.code == "10" and
winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and
/* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/
winlog.event_data.CallTrace : ("*dbhelp*", "*dbgcore*") and
winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and
/* case of lsass crashing */
not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe")