Techniques
Sample rules
PowerShell Get-Process LSASS in ScriptBlock
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Detection logic
condition: selection
selection:
ScriptBlockText|contains: Get-Process lsass