Detection : dump lsass via procdump
detections/endpoint/dump_lsass_via_procdump.yml
Describe the bug
I believe the detection logic here needs to be included in quotes for all parameters. Some of the detection parameters are but others aren't.
Processes.process IN (-ma, -mm, "-mp", /ma, /mm, "/mp")
Processes.process IN (* ls*, "* keyiso*", "* samss*")
Expected behavior
I believe this might be a better and more consistent approach. Once I changed the detection logic to include all quotes, my issue was resolved (specifically "* ls*" but still felt all needed to be in quotes). New:
Processes.process IN ("-ma", "-mm", "-mp", "/ma", "/mm", "/mp")
Processes.process IN ("* ls*", "* keyiso*", "* samss*")
App Version:
[ - ESCU: [e.g. 3.51.0]
Additional context
Test to verify, but I believe this should resolve potential false positives
Detection : dump lsass via procdump
detections/endpoint/dump_lsass_via_procdump.yml
Describe the bug
I believe the detection logic here needs to be included in quotes for all parameters. Some of the detection parameters are but others aren't.
Processes.process IN (-ma, -mm, "-mp", /ma, /mm, "/mp")
Processes.process IN (* ls*, "* keyiso*", "* samss*")
Expected behavior
I believe this might be a better and more consistent approach. Once I changed the detection logic to include all quotes, my issue was resolved (specifically "* ls*" but still felt all needed to be in quotes). New:
Processes.process IN ("-ma", "-mm", "-mp", "/ma", "/mm", "/mp")
Processes.process IN ("* ls*", "* keyiso*", "* samss*")
App Version:
[ - ESCU: [e.g. 3.51.0]
Additional context
Test to verify, but I believe this should resolve potential false positives