Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Sigma rule (View on GitHub)
1title: Remote LSASS Process Access Through Windows Remote Management
2id: aa35a627-33fb-4d04-a165-d33b4afca3e8
3status: stable
4description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
5references:
6 - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
7author: Patryk Prauze - ING Tech
8date: 2019/05/20
9modified: 2023/11/29
10tags:
11 - attack.credential_access
12 - attack.execution
13 - attack.t1003.001
14 - attack.t1059.001
15 - attack.lateral_movement
16 - attack.t1021.006
17 - attack.s0002
18logsource:
19 category: process_access
20 product: windows
21detection:
22 selection:
23 TargetImage|endswith: '\lsass.exe'
24 SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
25 filter_main_access:
26 GrantedAccess: '0x80000000'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unlikely
30level: high
References
Related rules
- Mimikatz Use
- Credential Dumping Attempt Via WerFault
- HackTool - Generic Process Access
- LSASS Access From Potentially White-Listed Processes
- LSASS Memory Access by Tool With Dump Keyword In Name