sigmahighTTP

Remote LSASS Process Access Through Windows Remote Management

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

MITRE ATT&CK

T1003.001 T1059.001 T1021.006 S0002

credential-accessexecutionlateral-movement

Detection Query

selection:
  TargetImage|endswith: \lsass.exe
  SourceImage|endswith: :\Windows\system32\wsmprovhost.exe
filter_main_access:
  GrantedAccess: "0x80000000"
condition: selection and not 1 of filter_main_*

Author

Patryk Prauze - ING Tech

Created

2019-05-20

Data Sources

windowsProcess Access Events

Platforms

windows

References

https://pentestlab.blog/2018/05/15/lateral-movement-winrm/

Tags

attack.credential-accessattack.executionattack.t1003.001attack.t1059.001attack.lateral-movementattack.t1021.006attack.s0002

Raw Content

title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
    filter_main_access:
        GrantedAccess: '0x80000000'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high