Credential Access (TA0006)
Sub-technique: T1003.001 - LSASS Memory
Objective: Detect attempts to dump credentials from LSASS memory.
Monitor for Suspicious LSASS Access
//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ProcessCommandLine has "dump"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advance Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ProcessCommandLine has "dump"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "lsass.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp desc**Purpose: Detect suspicious access to LSASS memory.
Detect Credential Dumping Tools
//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("mimikatz", "procdump", "secretsdump")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advance Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("mimikatz", "procdump", "secretsdump")
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("mimikatz", "procdump", "secretsdump")
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp descPurpose: Identify known credential dumping tools.
Monitor LSASS for Suspicious Memory Reads
//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "ReadMemory"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advance Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "ReadMemory"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "lsass.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp descPurpose: Detect suspicious memory reads from LSASS.
Detect LSASS Process Termination Attempts
//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "TerminateProcess"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advanced Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "TerminateProcess"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "lsass.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp descPurpose: Monitor for attempts to terminate LSASS.
Suspicious DLL Injections into LSASS
//Basic Search
DeviceImageLoadEvents
| where InitiatingProcessFileName == "lsass.exe" and FileName endswith ".dll"
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName
//Advanced Search
DeviceImageLoadEvents
| where InitiatingProcessFileName == "lsass.exe" and FileName endswith ".dll"
| extend InitiatingProcessAccountDomain = tostring(split(InitiatingProcessAccountName, "\\")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "lsass.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessAccountDomain, NetworkEventCount
| order by Timestamp descPurpose: Detect DLL injections into LSASS.
Unauthorized LSASS Access by Non-System Accounts
//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advanced Search
DeviceProcessEvents
| where FileName == "lsass.exe" and InitiatingProcessAccountName != "SYSTEM"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "lsass.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp descPurpose: Identify unauthorized LSASS access by non-system accounts.
Detect Procdump Used Against LSASS
//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has "procdump" and ProcessCommandLine has "lsass.exe"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advanced Search
DeviceProcessEvents
| where ProcessCommandLine has "procdump" and ProcessCommandLine has "lsass.exe"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "procdump.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp descPurpose: Monitor for Procdump usage to dump LSASS.
Monitor for LSASS Process Duplicates
//Basic Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "CreateProcess"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advanced Search
DeviceProcessEvents
| where FileName == "lsass.exe" and ActionType == "CreateProcess"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "lsass.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp descPurpose: Detect the creation of duplicate LSASS processes.
Identify LSASS Access Using Handle Duplication
//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has "DuplicateHandle" and FileName == "lsass.exe"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advanced Search
DeviceProcessEvents
| where ProcessCommandLine has "DuplicateHandle" and FileName == "lsass.exe"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName == "lsass.exe"
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, NetworkEventCount
| order by Timestamp descPurpose: Monitor for handle duplication used to access LSASS.
Detect LSASS Credential Dumping via Task Scheduler
//Basic Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("schtasks", "taskschd.msc") and ProcessCommandLine has "lsass.exe"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
//Advanced Search
DeviceProcessEvents
| where ProcessCommandLine has_any ("schtasks", "taskschd.msc") and ProcessCommandLine has "lsass.exe"
| extend InitiatingProcessFileName = tostring(split(ProcessCommandLine, " ")[0])
| join kind=leftouter (
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("schtasks", "taskschd.msc")
| summarize NetworkEventCount = count() by DeviceName
) on DeviceName
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingPurpose: Identify attempts to schedule tasks that dump LSASS credentials.
Last updated