Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dumping LSASS Process Into a File

Dumping LSASS Process Into a File

Back
Ida7b9df32-1367-402d-b385-882daf6e3020
RulenameDumping LSASS Process Into a File
DescriptionAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.

These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

Ref: https://attack.mitre.org/techniques/T1003/001/
SeverityHigh
TacticsCredentialAccess
TechniquesT1003.001
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
Version1.0.3
Arm templatea7b9df32-1367-402d-b385-882daf6e3020.json
Deploy To Azure
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
| parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
| where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
| parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  Event
  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
  | parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
  | where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
  | parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
tactics:
- CredentialAccess
triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: SourceImage
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
kind: Scheduled
relevantTechniques:
- T1003.001
description: |
  'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
  After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.
  These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.
  As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
  Ref: https://attack.mitre.org/techniques/T1003/001/'  
name: Dumping LSASS Process Into a File
version: 1.0.3
id: a7b9df32-1367-402d-b385-882daf6e3020
severity: High