PowerShell Get-Process LSASS in ScriptBlock
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
PowerShell Get-Process LSASS in ScriptBlock | Standard | Windows | Credential Access: OS Credential Dumping - LSASS Memory (T1003.001) | Critical |
About the rule
Rule Type
Standard
Rule Description
The Get-Process lsass command is commonly used by attackers to inspect the Local Security Authority Subsystem Service (LSASS), which stores sensitive credential material. While Get-Process by itself is benign, querying lsass often precedes credential dumping attempts using tools like Mimikatz or other in-memory exploits.
Severity
Trouble
Rule journey
Attack chain scenario
Admin account compromised → PowerShell execution → LSASS process queried → Credentials dumped → Lateral movement
Impact
- Credential theft
- Full domain compromise
- Lateral movement
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED contains "Get-Process lsass" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Credential Access: OS Credential Dumping - LSASS Memory (T1003.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of a attempts to install or authorize access to PSWA. This enables you to restrict interactive logins for service and admin accounts.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable).
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell activities: Enable Script Block Logging and monitor for lsass references.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1040 | For Windows 10, enable Attack Surface Reduction (ASR) rules to secure LSASS and prevent credential stealing. | |
M1043 | On Windows 10, Microsoft introduced Credential Guard to protect LSA secrets that can be used for credential dumping. This feature is not configured by default and has specific hardware and firmware requirements. Note that it doesn't protect against all forms of credential dumping. | |
M1028 | Consider disabling or restricting NTLM and disabling WDigest authentication to reduce credential exposure. | |
M1027 | Enforce complex and unique passwords for local administrator accounts across all systems in your network. | |
M1026 | Restrict privileges to execute PowerShell scripts to administrators and enforce limitations on the commands that can be executed via remote PowerShell sessions. | |
M1025 | On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA to enhance security. | |
M1017 | Train users and administrators to avoid using the same password for multiple accounts to limit credential overlap across systems. |
