Alsid LSASS Memory

Back


Id	3acf5617-7c41-4085-9a79-cc3a425ba83a
Rulename	Alsid LSASS Memory
Description	Searches for OS Credentials dumping attacks
Severity	High
Tactics	CredentialAccess
Techniques	T1003.001
Required data connectors	AlsidForAD
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/LSASSMemory.yaml
Version	1.0.0
Arm template	3acf5617-7c41-4085-9a79-cc3a425ba83a.json

KQL

afad_parser
| where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"

YAML

queryFrequency: 2h
severity: High
triggerThreshold: 0
relevantTechniques:
- T1003.001
query: |
  afad_parser
  | where MessageType == 2 and Codename == "OS Credential Dumping: LSASS Memory"  
id: 3acf5617-7c41-4085-9a79-cc3a425ba83a
triggerOperator: gt
version: 1.0.0
requiredDataConnectors:
- connectorId: AlsidForAD
  dataTypes:
  - AlsidForADLog_CL
description: |
    'Searches for OS Credentials dumping attacks'
queryPeriod: 2h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/LSASSMemory.yaml
status: Available
name: Alsid LSASS Memory
tactics:
- CredentialAccess
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3acf5617-7c41-4085-9a79-cc3a425ba83a')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3acf5617-7c41-4085-9a79-cc3a425ba83a')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Alsid LSASS Memory",
        "description": "'Searches for OS Credentials dumping attacks'\n",
        "severity": "High",
        "enabled": true,
        "query": "afad_parser\n| where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1003.001"
        ],
        "alertRuleTemplateName": "3acf5617-7c41-4085-9a79-cc3a425ba83a",
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/LSASSMemory.yaml",
        "status": "Available"
      }
    }
  ]
}