Create sysmon_mimikatz_trough_winrm.yml
Detects usage of mimikatz through WinRM protocol
This commit is contained in:
Patryk
@@ -0,0 +1,24 @@
|
||||
title: Mimikatz through Windows Remote Management
|
||||
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
|
||||
references:
|
||||
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
|
||||
status: stable
|
||||
author: Patryk Prauze - ING Tech
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID: 10
|
||||
TargetImage: 'C:\windows\system32\lsass.exe'
|
||||
SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
|
||||
condition: selection
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.execution
|
||||
- attack.t1003
|
||||
- attack.t1028
|
||||
- attack.s0005
|
||||
falsepositives:
|
||||
- low
|
||||
level: high
|
||||
Reference in New Issue
Block a user