title: Mimikatz through Windows Remote Management
author: Patryk Prauze - ING Tech
date: 2019/05/20
description: Detects usage of mimikatz through WinRM protocol by monitoring access
  to lsass process by wsmprovhost.exe.
detection:
  SELECTION_1:
    EventID: 10
  SELECTION_2:
    TargetImage: '*\lsass.exe'
  SELECTION_3:
    SourceImage: C:\Windows\system32\wsmprovhost.exe
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- low
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
level: high
logsource:
  category: process_access
  product: windows
modified: 2021/06/21
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
status: stable
tags:
- attack.credential_access
- attack.execution
- attack.t1003.001
- attack.t1003
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028
- attack.s0002
ruletype: SIGMA