Merge pull request #1568 from frack113/lsass_endswith

Update rule lsass.exe to endswith

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -3,6 +3,7 @@ id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
 description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
 status: experimental
 date: 2017/02/12
+modified: 2021/06/21
 references:
     - https://twitter.com/jackcr/status/807385668833968128
 tags:
@@ -15,7 +16,7 @@ logsource:
 detection:
     selection:
         EventID: 4656
-        ProcessName: 'C:\Windows\System32\lsass.exe'
+        ProcessName|endswith: '\lsass.exe'
         AccessMask: '0x705'
         ObjectType: 'SAM_DOMAIN'
     condition: selection

rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml

@@ -6,13 +6,13 @@ references:
 status: stable
 author: Thomas Patzke
 date: 2017/02/19
-modified: 2021/04/01
+modified: 2021/06/21
 logsource:
     product: windows
     category: create_remote_thread
 detection:
     selection:
-        TargetImage: 'C:\Windows\System32\lsass.exe'
+        TargetImage|endswith: '\lsass.exe'
         StartModule: ''
     condition: selection
 tags:

rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml

@@ -13,13 +13,13 @@ tags:
     - car.2019-04-004
 author: Sherif Eldeeb
 date: 2017/10/18
+modified: 2021/06/21
 logsource:
     product: windows
-    service: sysmon
+    category: process_access
 detection:
     selection:
-        EventID: 10
-        TargetImage: 'C:\windows\system32\lsass.exe'
+        TargetImage|endswith: '\lsass.exe'
         GrantedAccess:
             - '0x1410'
             - '0x1010'

rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml

@@ -3,7 +3,7 @@ id: a49fa4d5-11db-418c-8473-1e014a8dd462
 description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
 status: experimental
 date: 2020/10/20
-modified: 2021/05/21
+modified: 2021/06/21
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.credential_access
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        TargetImage: 'C:\windows\system32\lsass.exe'
+        TargetImage|endswith: '\lsass.exe'
         SourceImage: 'C:\Windows\System32\rundll32.exe'
         CallTrace|contains: 'comsvcs.dll'
     condition: selection

rules/windows/process_access/sysmon_lsass_memdump.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10
 author: Samir Bousseaden
 date: 2019/04/03
-modified: 2020/08/24
+modified: 2021/06/21
 references:
     - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
 tags:
@@ -17,7 +17,7 @@ logsource:
     product: windows
 detection:
     selection:
-        TargetImage: 'C:\windows\system32\lsass.exe'
+        TargetImage|endswith: '\lsass.exe'
         GrantedAccess: '0x1fffff'
         CallTrace|contains:
          - 'dbghelp.dll'

rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml

@@ -6,13 +6,13 @@ references:
 status: stable
 author: Patryk Prauze - ING Tech
 date: 2019/05/20
-modified: 2020/08/24
+modified: 2021/06/21
 logsource:
     category: process_access
     product: windows
 detection:
     selection:
-        TargetImage: 'C:\windows\system32\lsass.exe'
+        TargetImage|endswith: '\lsass.exe'
         SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
     condition: selection
 tags: