title: Mimikatz through Windows Remote Management  
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
references:
    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
status: stable
author: Patryk Prauze - ING Tech
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 10
        TargetImage: 'C:\windows\system32\lsass.exe'
        SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
    condition: selection
tags:
    - attack.credential_access
    - attack.execution
    - attack.t1003
    - attack.t1028
    - attack.s0005
falsepositives:
    - low
level: high