SigmaHQ/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml

25 lines
687 B
YAML
Raw Normal View History

title: Mimikatz through Windows Remote Management
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
status: stable
author: Patryk Prauze - ING Tech
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 10
TargetImage: 'C:\windows\system32\lsass.exe'
SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
condition: selection
tags:
- attack.credential_access
- attack.execution
- attack.t1003
- attack.t1028
- attack.s0005
falsepositives:
- low
level: high