Potential Credential Dumping Attempt Via PowerShell Remote Thread
Detects remote thread creation by PowerShell processes into "lsass.exe"
Sigma rule (View on GitHub)
1title: Potential Credential Dumping Attempt Via PowerShell Remote Thread
2id: fb656378-f909-47c1-8747-278bf09f4f4f
3related:
4 - id: 3f07b9d1-2082-4c56-9277-613a621983cc
5 type: obsolete
6 - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
7 type: similar
8status: test
9description: Detects remote thread creation by PowerShell processes into "lsass.exe"
10references:
11 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
12author: oscd.community, Natalia Shornikova
13date: 2020-10-06
14modified: 2022-12-18
15tags:
16 - attack.credential-access
17 - attack.t1003.001
18logsource:
19 product: windows
20 category: create_remote_thread
21detection:
22 selection:
23 SourceImage|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 TargetImage|endswith: '\lsass.exe'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…
Read More
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security