2017-02-16 17:02:26 +00:00
title : Mimikatz Detection LSASS Access
status : experimental
description : Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
2018-01-27 23:24:16 +00:00
references :
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
2018-07-27 04:15:07 +00:00
tags :
- attack.s0002
- attack.lateral_movement
- attack.credential_access
2017-02-18 23:31:59 +00:00
logsource :
2017-03-13 08:23:08 +00:00
product : windows
service : sysmon
2017-02-16 17:02:26 +00:00
detection :
selection :
2017-10-18 13:12:29 +00:00
EventID : 10
TargetImage : 'C:\windows\system32\lsass.exe'
GrantedAccess : '0x1410'
2017-02-16 17:02:26 +00:00
condition : selection
falsepositives :
- unknown
level : high