Add new patterns for RustiveDump and NativeDump to an old rule. (and a bug fix in the nanodump pattern selection)
Changelog
update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage
Example Log Event
Fixed Issues
I exchanged the "startswith" modifier with the "contains" modifier, because the "TargetFileName" field usually contains the full path and not just the filename.
Therefore "startswith: nanodump" would always be wrong.
SigmaHQ Rule Creation Conventions
If your PR adds new rules, please consider following and applying these conventions
Summary of the Pull Request
Add new patterns for RustiveDump and NativeDump to an old rule. (and a bug fix in the nanodump pattern selection)
Changelog
update: LSASS Process Memory Dump Files - add new dump pattern for RustiveDump and NativeDump, and exchanged "startswith" with "contains" modifier for better coverage
Example Log Event
Fixed Issues
I exchanged the "startswith" modifier with the "contains" modifier, because the "TargetFileName" field usually contains the full path and not just the filename. Therefore "startswith: nanodump" would always be wrong.
SigmaHQ Rule Creation Conventions