Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

1 rule found for "Patryk Prauze - ING Tech"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhighstable

Remote LSASS Process Access Through Windows Remote Management

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

WindowsProcess Access
TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1059.001 · PowerShell+3
Patryk Prauze - ING TechMon May 20windows