Detectionhightest

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

oscd.community, Natalia ShornikovaCreated Tue Oct 06Updated Sun Dec 18fb656378-f909-47c1-8747-278bf09f4f4fwindows

Log Source

WindowsRemote Thread Creation

ProductWindows← raw: windows

CategoryRemote Thread Creation← raw: create_remote_thread

Detection Logic

detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetImage|endswith: '\lsass.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

speakerdeck.com

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1003.001 · LSASS Memory

Related Rules

Similar

3f07b9d1-2082-4c56-9277-613a621983cc

Rule not found

SimilarThreat Huntmedium

Potential Credential Dumping Attempt Via PowerShell

Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

fb656378-f909-47c1-8747-278bf09f4f4f

Status

test

Level

high

Type

Detection

Created

Tue Oct 06

Modified

Sun Dec 18

Author

oscd.community, Natalia Shornikova

Path

rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml

Raw Tags

attack.credential-accessattack.t1003.001

View on GitHub