SigmaHQ/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml
2021-06-21 21:14:36 +02:00

32 lines
900 B
YAML
Executable File

title: Mimikatz through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
status: stable
author: Patryk Prauze - ING Tech
date: 2019/05/20
modified: 2021/06/21
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
condition: selection
tags:
- attack.credential_access
- attack.execution
- attack.t1003.001
- attack.t1003 #an old one
- attack.t1059.001
- attack.t1086 #an old one
- attack.lateral_movement
- attack.t1021.006
- attack.t1028 #an old one
- attack.s0002
falsepositives:
- low
level: high