Edit

Credential Access (TA0006)

Sub-technique: T1003.001 - LSASS Memory

Objective: Detect attempts to dump credentials from LSASS memory.

  1. Monitor for Suspicious LSASS Access

//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ProcessCommandLine has "dump"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advance Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ProcessCommandLine has "dump"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

**Purpose: Detect suspicious access to LSASS memory.

  1. Detect Credential Dumping Tools

Purpose: Identify known credential dumping tools.

  1. Monitor LSASS for Suspicious Memory Reads

Purpose: Detect suspicious memory reads from LSASS.

  1. Detect LSASS Process Termination Attempts

Purpose: Monitor for attempts to terminate LSASS.

  1. Suspicious DLL Injections into LSASS

Purpose: Detect DLL injections into LSASS.

  1. Unauthorized LSASS Access by Non-System Accounts

Purpose: Identify unauthorized LSASS access by non-system accounts.

  1. Detect Procdump Used Against LSASS

Purpose: Monitor for Procdump usage to dump LSASS.

  1. Monitor for LSASS Process Duplicates

Purpose: Detect the creation of duplicate LSASS processes.

  1. Identify LSASS Access Using Handle Duplication

Purpose: Monitor for handle duplication used to access LSASS.

  1. Detect LSASS Credential Dumping via Task Scheduler

Purpose: Identify attempts to schedule tasks that dump LSASS credentials.

PreviousDefence Evasion (TA0005)NextDiscovery (TA0007)

Last updated