fix(rules): Use iin operator in LSASS memory dump via Windows Error Reporting

rabbitstack · rabbitstack · commit 002645359a0e · 2025-01-12T09:07:09.000+01:00
In some occasions, the process name is reported
in lower-case, avoiding the rule to match. In the
same line, to improve the resilience, the create_file
macro is used in the second condition to match when
the WER process creates the memory dump.
diff --git a/rules/credential_access_lsass_memory_dump_via_wer.yml b/rules/credential_access_lsass_memory_dump_via_wer.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dump via Windows Error Reporting
 id: 7b4a74e2-c7a7-4c1f-b2ce-0e0273c3add7
-version: 1.0.1
+version: 1.0.2
 description: |
   Adversaries may abuse Windows Error Reporting service to dump LSASS memory.
   The ALPC protocol can send a message to report an exception on LSASS and
@@ -21,7 +21,7 @@ references:
 condition: >
   sequence
   maxspan 2m
-    |spawn_process and ps.child.name in ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
-    |write_minidump_file and file.path icontains 'lsass'| by ps.uuid
+    |spawn_process and ps.child.name iin ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
+    |create_file and file.path icontains 'lsass'| by ps.uuid
 
 min-engine-version: 2.4.0
