Remote LSASS Process Access Through Windows Remote Management

calendar Dec 4, 2023 · attack.credential_access attack.execution attack.t1003.001 attack.t1059.001 attack.lateral_movement attack.t1021.006 attack.s0002  ·
Share on: linkedin copy

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Sigma rule (View on GitHub)

 1title: Remote LSASS Process Access Through Windows Remote Management
 2id: aa35a627-33fb-4d04-a165-d33b4afca3e8
 3status: stable
 4description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
 5references:
 6    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
 7author: Patryk Prauze - ING Tech
 8date: 2019/05/20
 9modified: 2023/11/29
10tags:
11    - attack.credential_access
12    - attack.execution
13    - attack.t1003.001
14    - attack.t1059.001
15    - attack.lateral_movement
16    - attack.t1021.006
17    - attack.s0002
18logsource:
19    category: process_access
20    product: windows
21detection:
22    selection:
23        TargetImage|endswith: '\lsass.exe'
24        SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
25    filter_main_access:
26        GrantedAccess: '0x80000000'
27    condition: selection and not 1 of filter_main_*
28falsepositives:
29    - Unlikely
30level: high

References

  • Lateral Movement – WinRM

    WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (598…


    Read More

Related rules

to-top