Credential Access (TA0006)

Sub-technique: T1003.001 - LSASS Memory

Objective: Detect attempts to dump credentials from LSASS memory.

1. Monitor for Suspicious LSASS Access

//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ProcessCommandLine has "dump"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advance Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ProcessCommandLine has "dump"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

**Purpose: Detect suspicious access to LSASS memory.

1. Detect Credential Dumping Tools

//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("mimikatz", "procdump", "secretsdump")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advance Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("mimikatz", "procdump", "secretsdump")
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("mimikatz", "procdump", "secretsdump")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Identify known credential dumping tools.

1. Monitor LSASS for Suspicious Memory Reads

//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "ReadMemory"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advance Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "ReadMemory"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Detect suspicious memory reads from LSASS.

1. Detect LSASS Process Termination Attempts

//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "TerminateProcess"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advanced Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "TerminateProcess"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Monitor for attempts to terminate LSASS.

1. Suspicious DLL Injections into LSASS

//Basic Search
DeviceImageLoadEvents
| where InitiatingProcessFileName == "lsass.exe" and FileName endswith ".dll"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName

//Advanced Search
DeviceImageLoadEvents
| where InitiatingProcessFileName == "lsass.exe" and FileName endswith ".dll"
| extend InitiatingProcessAccountDomain = tostring(split(InitiatingProcessAccountName, "\\")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessAccountDomain, NetworkEventCount
| order by Timestamp desc

Purpose: Detect DLL injections into LSASS.

1. Unauthorized LSASS Access by Non-System Accounts

//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advanced Search
DeviceProcessEvents
| where FileName == "lsass.exe" and InitiatingProcessAccountName != "SYSTEM"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Identify unauthorized LSASS access by non-system accounts.

1. Detect Procdump Used Against LSASS

//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has "procdump" and ProcessCommandLine has "lsass.exe"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advanced Search
DeviceProcessEvents
| where ProcessCommandLine has "procdump" and ProcessCommandLine has "lsass.exe"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "procdump.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Monitor for Procdump usage to dump LSASS.

1. Monitor for LSASS Process Duplicates

//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "CreateProcess"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advanced Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "CreateProcess"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Detect the creation of duplicate LSASS processes.

1. Identify LSASS Access Using Handle Duplication

//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has "DuplicateHandle" and FileName == "lsass.exe"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advanced Search
DeviceProcessEvents
| where ProcessCommandLine has "DuplicateHandle" and FileName == "lsass.exe"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName == "lsass.exe"
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc

Purpose: Monitor for handle duplication used to access LSASS.

1. Detect LSASS Credential Dumping via Task Scheduler

//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("schtasks", "taskschd.msc") and ProcessCommandLine has "lsass.exe"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

//Advanced Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("schtasks", "taskschd.msc") and ProcessCommandLine has "lsass.exe"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
    DeviceNetworkEvents
    | where InitiatingProcessFileName has_any ("schtasks", "taskschd.msc")
    | summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, Initiating

Purpose: Identify attempts to schedule tasks that dump LSASS credentials.