title: PowerShell Get-Process LSASS
author: Florian Roth
date: 2021/04/23
description: Detects a Get-Process command on lsass process, which is in almost all
    cases a sign of malicious activity
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        CommandLine: '*Get-Process lsass*'
    condition: (SELECTION_1 and (SELECTION_2))
falsepositives:
- Unknown
id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
level: high
logsource:
    category: process_creation
    product: windows
references:
- https://twitter.com/PythonResponder/status/1385064506049630211
status: experimental
tags:
- attack.credential_access
- attack.t1552.004
yml_filename: win_susp_powershell_getprocess_lsass.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation