From 166e451cf65054d5cb8aa5e6cba22915b98866a1 Mon Sep 17 00:00:00 2001
From: keyboardcrunch <REDACTED>
Date: Wed, 17 Mar 2021 20:09:19 -0500
Subject: [PATCH] Removed LSASSMemoryAccessed due to HIGH FP

---
 queries/windows/os_credential_dumping.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/queries/windows/os_credential_dumping.yml b/queries/windows/os_credential_dumping.yml
index dc41220..68a5665 100644
--- a/queries/windows/os_credential_dumping.yml
+++ b/queries/windows/os_credential_dumping.yml
@@ -8,7 +8,7 @@ mitre:
    technique: T1003
    subtechnique: null
 operating_system: linux
-query: RegistryKeyPath ContainsCIS "\Services\NPPSpy" OR IndicatorName In ( "Mimikatz", "CredsReadFromLsass", "LSASSMemoryAccessed", "DumpSAM", "PasswordSniffingViaNetworkProvider" )
+query: RegistryKeyPath ContainsCIS "\Services\NPPSpy" OR IndicatorName In ( "Mimikatz", "CredsReadFromLsass", "DumpSAM", "PasswordSniffingViaNetworkProvider" )
 false_positives: null
 tags: null
 references: