Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dumping LSASS Process Into a File

Dumping LSASS Process Into a File

Back
Ida7b9df32-1367-402d-b385-882daf6e3020
RulenameDumping LSASS Process Into a File
DescriptionAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.

These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

Ref: https://attack.mitre.org/techniques/T1003/001/
SeverityHigh
TacticsCredentialAccess
TechniquesT1003.001
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
Version1.0.3
Arm templatea7b9df32-1367-402d-b385-882daf6e3020.json
Deploy To Azure
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
| parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
| where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
| parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')

description: |
  'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
  After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.
  These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.
  As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
  Ref: https://attack.mitre.org/techniques/T1003/001/'  
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
severity: High
name: Dumping LSASS Process Into a File
triggerThreshold: 0
queryPeriod: 1h
query: |
  Event
  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
  | parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
  | where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
  | parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')  
relevantTechniques:
- T1003.001
id: a7b9df32-1367-402d-b385-882daf6e3020
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.3
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
- entityType: Process
  fieldMappings:
  - columnName: SourceImage
    identifier: CommandLine