Remote LSASS Process Access Through Windows Remote Management

Aug 12, 2024 · attack.credential-access attack.execution attack.t1003.001 attack.t1059.001 attack.lateral-movement attack.t1021.006 attack.s0002 ·

Share on:

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Sigma rule (View on GitHub)

 1title: Remote LSASS Process Access Through Windows Remote Management
 2id: aa35a627-33fb-4d04-a165-d33b4afca3e8
 3status: stable
 4description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
 5references:
 6    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
 7author: Patryk Prauze - ING Tech
 8date: 2019-05-20
 9modified: 2023-11-29
10tags:
11    - attack.credential-access
12    - attack.execution
13    - attack.t1003.001
14    - attack.t1059.001
15    - attack.lateral-movement
16    - attack.t1021.006
17    - attack.s0002
18logsource:
19    category: process_access
20    product: windows
21detection:
22    selection:
23        TargetImage|endswith: '\lsass.exe'
24        SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
25    filter_main_access:
26        GrantedAccess: '0x80000000'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - Unlikely
30level: high

References

Lateral Movement – WinRM

WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (598…

Read More

Remote LSASS Process Access Through Windows Remote Management

Sigma rule (View on GitHub)

References

Lateral Movement &#8211;&nbsp;WinRM

Related rules

Lateral Movement – WinRM