security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b93165ecedec7caac9331d9d6236a3bb46bb484
blue-team-tools/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml
T
partyh4rd 5a98e36905 Update powershell_suspicious_getprocess_lsass.yml 
fix mitre_code 1552.004 -> 1003.001
2021-05-04 14:04:52 +03:00

25 lines
891 B
YAML
Raw Blame History

title: PowerShell Get-Process LSASS in ScriptBlock
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
status: experimental
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://twitter.com/PythonResponder/status/1385064506049630211
tags:
- attack.credential_access
- attack.t1003.001
author: Florian Roth
date: 2021/04/23
logsource:
product: windows
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
EventID: 4104
ScriptBlockText|contains:
- 'Get-Process lsass'
condition: keywords
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level: high
Reference in New Issue View Git Blame Copy Permalink