some taskmgr.exe related activity

t1003
t1003.001
windows
sigma

Techniques

t1003
t1003.001

Sample rules

LSASS Access Detected via Attack Surface Reduction

source: sigma
technicques:
- t1003
- t1003.001

Description

Detects Access to LSASS Process

Detection logic

condition: selection and not 1 of filter_*
filter_begins:
  ProcessName|startswith:
  - C:\Windows\System32\DriverStore\
  - C:\WINDOWS\Installer\
  - C:\Program Files\
  - C:\Program Files (x86)\
filter_exact:
  ProcessName:
  - C:\Windows\System32\atiesrxx.exe
  - C:\Windows\System32\CompatTelRunner.exe
  - C:\Windows\System32\msiexec.exe
  - C:\Windows\System32\nvwmi64.exe
  - C:\Windows\System32\svchost.exe
  - C:\Windows\System32\Taskmgr.exe
  - C:\Windows\System32\wbem\WmiPrvSE.exe
  - C:\Windows\SysWOW64\msiexec.exe
filter_thor:
  ProcessName|endswith:
  - \thor64.exe
  - \thor.exe
  ProcessName|startswith: C:\Windows\Temp\asgard2-agent\
selection:
  EventID: 1121
  Path|endswith: \lsass.exe