Threat Huntmediumtest

Potential Credential Dumping Attempt Via PowerShell

Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

oscd.community, Natalia ShornikovaCreated Tue Oct 06Updated Tue Nov 280f920ebe-7aea-4c54-b202-9aa0c609cfe5windows

Hunting Hypothesis

Log Source

WindowsProcess Access

ProductWindows← raw: windows

CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic

detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetImage|endswith: '\lsass.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

speakerdeck.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Other

detection.threat-hunting

Related Rules

Similar

3f07b9d1-2082-4c56-9277-613a621983cc

Rule not found

SimilarDetectionhigh

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

0f920ebe-7aea-4c54-b202-9aa0c609cfe5

Status

test

Level

medium

Type

Threat Hunt

Created

Tue Oct 06

Modified

Tue Nov 28

Author

oscd.community, Natalia Shornikova

Path

rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml

Raw Tags

attack.credential-accessattack.t1003.001detection.threat-hunting

View on GitHub