Update credential_access_lsass_openprocess_api.toml

Samirbous · web-flow · commit 619c1744f861 · 2025-12-12T09:50:27.000Z
diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml
@@ -32,7 +32,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 
 [rule]
 author = ["Elastic"]
-description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n"
+description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory."
 from = "now-30m"
 interval = "15m"
 language = "esql"
@@ -129,8 +129,7 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi
    not to_lower(process.executable) like """c:\\program files\\*.exe""" and
    not to_lower(process.executable) like """c:\\program files (x86)\\*.exe""" and
    not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\MsMpEng.exe""" and
-   not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe""" and
-   not process.executable like """C:\\Program Files\\*.exe""" and not process.executable like """C:\\Program Files (x86)\\*.exe"""
+   not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe"""
 
  /* normalize process paths to reduce known random patterns in process.executable */
 | eval Esql.process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
