fixed

fixed

Server/rules/py/attck/action.py

@@ -6,13 +6,6 @@ rule = [
         'attck_hit':['T1562.001'],
         'name': 'Impair Defenses: Disable or Modify Tools'
     },
-    {
-        'rules': [
-            'action == "processaccess" and targetimage =~ ".*lsass.exe"',
-        ],
-        'attck_hit':['T1003'],
-        'name': 'OS Credential Dumping: LSASS Memory'
-    },
     {
         'rules': [
             'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"',

Server/rules/py/ioa/action.py

@@ -1,4 +1,12 @@
 rule = [
+    {
+        'rules': [
+            'action == "processaccess" and targetimage =~ ".*lsass.exe"',
+        ],
+        'attck_hit':['T1003'],
+        'score': 100,
+        'name': 'OS Credential Dumping: LSASS Memory'
+    },
     {
         'rules': [
             'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',