From 1699f50beb2c0da844ffd6fb7150601609188bd7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 27 Jan 2022 09:28:16 -0300 Subject: [PATCH] Update credential_access_suspicious_lsass_access_memdump.toml (#1714) --- .../credential_access_suspicious_lsass_access_memdump.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index f403e2ad6..e3177d515 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/07" maturity = "production" -updated_date = "2021/10/07" +updated_date = "2022/01/24" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ process where event.code == "10" and winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ - winlog.event_data.CallTrace : ("*dbhelp*", "*dbgcore*") and + winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and /* case of lsass crashing */ not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe")