PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Sigma rule (View on GitHub)
1title: PowerShell Get-Process LSASS in ScriptBlock
2id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
3status: test
4description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
5references:
6 - https://twitter.com/PythonResponder/status/1385064506049630211
7author: Florian Roth (Nextron Systems)
8date: 2021/04/23
9modified: 2022/12/25
10tags:
11 - attack.credential_access
12 - attack.t1003.001
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains: 'Get-Process lsass'
20 condition: selection
21falsepositives:
22 - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
23level: high
References
Related rules
- Mimikatz Use
- Windows Credential Editor Registry
- Mimikatz Command Line With Ticket Export
- Transferring Files with Credential Data via Network Shares - Zeek
- Abnormal LSASS Child and Parent Process Relationships