Hide Navigation Hide TOC

Remote LSASS Process Access Through Windows Remote Management (aa35a627-33fb-4d04-a165-d33b4afca3e8)

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Remote LSASS Process Access Through Windows Remote Management (aa35a627-33fb-4d04-a165-d33b4afca3e8)	Sigma-Rules	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Remote LSASS Process Access Through Windows Remote Management (aa35a627-33fb-4d04-a165-d33b4afca3e8)	Sigma-Rules	1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Remote LSASS Process Access Through Windows Remote Management (aa35a627-33fb-4d04-a165-d33b4afca3e8)	Sigma-Rules	1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	2