Dumping LSASS Process Into a File
Id | a7b9df32-1367-402d-b385-882daf6e3020 |
Rulename | Dumping LSASS Process Into a File |
Description | Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials. As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. Ref: https://attack.mitre.org/techniques/T1003/001/ |
Severity | High |
Tactics | CredentialAccess |
Techniques | T1003.001 |
Required data connectors | SecurityEvents WindowsSecurityEvents |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml |
Version | 1.0.3 |
Arm template | a7b9df32-1367-402d-b385-882daf6e3020.json |
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
| parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" *
| where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
| parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
query: |
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
| parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" *
| where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
| parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')
relevantTechniques:
- T1003.001
name: Dumping LSASS Process Into a File
severity: High
triggerThreshold: 0
description: |
'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.
These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
Ref: https://attack.mitre.org/techniques/T1003/001/'
status: Available
triggerOperator: gt
tactics:
- CredentialAccess
entityMappings:
- fieldMappings:
- columnName: Computer
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: SourceImage
identifier: CommandLine
entityType: Process
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
id: a7b9df32-1367-402d-b385-882daf6e3020
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
queryPeriod: 1h
queryFrequency: 1h
version: 1.0.3
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a7b9df32-1367-402d-b385-882daf6e3020')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a7b9df32-1367-402d-b385-882daf6e3020')]",
"properties": {
"alertRuleTemplateName": "a7b9df32-1367-402d-b385-882daf6e3020",
"customDetails": null,
"description": "'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.\nThese credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\nRef: https://attack.mitre.org/techniques/T1003/001/'\n",
"displayName": "Dumping LSASS Process Into a File",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "SourceImage",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml",
"query": "Event\n| where EventLog =~ \"Microsoft-Windows-Sysmon/Operational\" and EventID==10\n| parse EventData with * 'TargetImage\">' TargetImage \"<\" * 'GrantedAccess\">' GrantedAccess \"<\" * 'CallTrace\">' CallTrace \"<\" * \n| where GrantedAccess =~ \"0x1FFFFF\" and TargetImage =~ \"C:\\\\Windows\\\\System32\\\\lsass.exe\" and CallTrace has_any (\"dbghelp.dll\",\"dbgcore.dll\")\n| parse EventData with * 'SourceProcessGUID\">' SourceProcessGUID \"<\" * 'SourceImage\">' SourceImage \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\n| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1003.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1003"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}