Detectionhighstable

Remote LSASS Process Access Through Windows Remote Management

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Patryk Prauze - ING TechCreated Mon May 20Updated Wed Nov 29aa35a627-33fb-4d04-a165-d33b4afca3e8windows

Log Source

WindowsProcess Access

ProductWindows← raw: windows

CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic

detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
    filter_main_access:
        GrantedAccess: '0x80000000'
    condition: selection and not 1 of filter_main_*

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

pentestlab.blog

MITRE ATT&CK

Tactics

TA0006 · Credential Access TA0002 · Execution TA0008 · Lateral Movement

Sub-techniques

T1003.001 · LSASS Memory T1059.001 · PowerShell T1021.006 · Windows Remote Management

Software

S0002 · Mimikatz

Rule Metadata

Rule ID

aa35a627-33fb-4d04-a165-d33b4afca3e8

Status

stable

Level

high

Type

Detection

Created

Mon May 20

Modified

Wed Nov 29

Author

Patryk Prauze - ING Tech

Path

rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml

Raw Tags

attack.credential-accessattack.executionattack.t1003.001attack.t1059.001attack.lateral-movementattack.t1021.006attack.s0002

View on GitHub