SigmaHQ/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

title: Mimikatz Detection LSASS Access
status: experimental
description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)
reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        - EventID: 10
          TargetImage: 'C:\windows\system32\lsass.exe'
          GrantedAccess: '0x1410'
    condition: selection
falsepositives:
    - unknown
level: high
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`title: Mimikatz Detection LSASS Access`
			`status: experimental`
			`description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION, 0x0010 PROCESS_VM_READ)`
			`reference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`product: windows`
			`service: sysmon`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`detection:`
			`selection:`
Removed Sysmon EventLog from selection > via 'logsource' 2017-03-02 10:06:08 +00:00			`- EventID: 10`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`TargetImage: 'C:\windows\system32\lsass.exe'`
			`GrantedAccess: '0x1410'`
			`condition: selection`
			`falsepositives:`
			`- unknown`
			`level: high`