Samirbous
521e4dc8f1
* [New Rule] Potential Lsass Memory Dump via MirrorDump * added tactic * switched to kql * added sysmon process access non ecs types * Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * rule.name as suggested by Justin and converted to EQL to add comments * Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
