Dumping LSASS Process Into a File

Event
| where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==10
| parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
| where GrantedAccess == "0x1FFFFF" and TargetImage == "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
| parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace

queryFrequency: 1h
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
- entityType: Process
  fieldMappings:
  - columnName: SourceImage
    identifier: CommandLine
severity: High
triggerThreshold: 0
relevantTechniques:
- T1003.001
query: |
  Event
  | where EventLog == "Microsoft-Windows-Sysmon/Operational" and EventID==10
  | parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
  | where GrantedAccess == "0x1FFFFF" and TargetImage == "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
  | parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace  
id: a7b9df32-1367-402d-b385-882daf6e3020
triggerOperator: gt
version: 1.0.0
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
description: |
  'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). 
  After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. 
  These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. 
  As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
  Ref: https://attack.mitre.org/techniques/T1003/001/'  
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
status: Available
name: Dumping LSASS Process Into a File
tactics:
- CredentialAccess
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a7b9df32-1367-402d-b385-882daf6e3020')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a7b9df32-1367-402d-b385-882daf6e3020')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Dumping LSASS Process Into a File",
        "description": "'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\nRef: https://attack.mitre.org/techniques/T1003/001/'\n",
        "severity": "High",
        "enabled": true,
        "query": "Event\n| where EventLog == \"Microsoft-Windows-Sysmon/Operational\" and EventID==10\n| parse EventData with * 'TargetImage\">' TargetImage \"<\" * 'GrantedAccess\">' GrantedAccess \"<\" * 'CallTrace\">' CallTrace \"<\" * \n| where GrantedAccess == \"0x1FFFFF\" and TargetImage == \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and CallTrace has_any (\"dbghelp.dll\",\"dbgcore.dll\")\n| parse EventData with * 'SourceProcessGUID\">' SourceProcessGUID \"<\" * 'SourceImage\">' SourceImage \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1003.001"
        ],
        "alertRuleTemplateName": "a7b9df32-1367-402d-b385-882daf6e3020",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "Computer"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "identifier": "CommandLine",
                "columnName": "SourceImage"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}