From 1a425817e51e2ac06bf9c527d3cb92398c775080 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 28 Nov 2024 21:39:03 +0100
Subject: [PATCH] chore(rules): Consider DUP_HANDLE access right

Certain tools tend to duplicate the lsass process
token and then initiate the minidump creation.
---
 rules/credential_access_lsass_memory_dumping.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/credential_access_lsass_memory_dumping.yml b/rules/credential_access_lsass_memory_dumping.yml
index c11785da9..e811dd2a2 100644
--- a/rules/credential_access_lsass_memory_dumping.yml
+++ b/rules/credential_access_lsass_memory_dumping.yml
@@ -23,7 +23,7 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ')
+    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE')
       and
      kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
       and