Skip to content

Commit

Permalink
Merge PR SigmaHQ#4750 from @secDre4mer - Fix false positive with `Pot…
Browse files Browse the repository at this point in the history 
…ential Credential Dumping Activity Via LSASS` rule

fix: Potential Credential Dumping Activity Via LSASS - remove legitimate access mask
  • Loading branch information
@secDre4mer
secDre4mer authored Mar 2, 2024
1 parent 0108cdc commit 4655938
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions rules/windows/process_access/proc_access_win_lsass_memdump.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ references:
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019/04/03
modified: 2023/12/13
modified: 2024/03/02
tags:
- attack.credential_access
- attack.t1003.001
Expand All @@ -23,7 +23,6 @@ detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1000'
- '0x1038'
- '0x1438'
- '0x143a'
Expand Down

0 comments on commit 4655938

Please sign in to comment.