PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Sigma rule (View on GitHub)
1title: PowerShell Get-Process LSASS
2id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
3status: test
4description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
5references:
6 - https://twitter.com/PythonResponder/status/1385064506049630211
7author: Florian Roth (Nextron Systems)
8date: 2021/04/23
9modified: 2023/01/05
10tags:
11 - attack.credential_access
12 - attack.t1552.004
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains:
19 # You can add more permutation as you see fit
20 - 'Get-Process lsas'
21 - 'ps lsas'
22 - 'gps lsas'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Automated Collection Command Prompt
- Esentutl Gather Credentials
- PUA - DIT Snapshot Viewer
- PUA - Mouse Lock Execution
- PowerShell SAM Copy