Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dumping LSASS Process Into a File

Dumping LSASS Process Into a File

Back
Ida7b9df32-1367-402d-b385-882daf6e3020
RulenameDumping LSASS Process Into a File
DescriptionAdversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.

These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

Ref: https://attack.mitre.org/techniques/T1003/001/
SeverityHigh
TacticsCredentialAccess
TechniquesT1003.001
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
Version1.0.3
Arm templatea7b9df32-1367-402d-b385-882daf6e3020.json
Deploy To Azure
Event
| where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
| parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
| where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
| parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
| extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')

tactics:
- CredentialAccess
id: a7b9df32-1367-402d-b385-882daf6e3020
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/DumpingLSASSProcessIntoaFile.yaml
status: Available
description: |
  'Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
  After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.
  These credential materials can be harvested by an administrative user or system and used to conduct lateral movement using alternate authentication materials.
  As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
  Ref: https://attack.mitre.org/techniques/T1003/001/'  
version: 1.0.3
severity: High
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
- fieldMappings:
  - identifier: CommandLine
    columnName: SourceImage
  entityType: Process
kind: Scheduled
name: Dumping LSASS Process Into a File
query: |
  Event
  | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==10
  | parse EventData with * 'TargetImage">' TargetImage "<" * 'GrantedAccess">' GrantedAccess "<" * 'CallTrace">' CallTrace "<" * 
  | where GrantedAccess =~ "0x1FFFFF" and TargetImage =~ "C:\\Windows\\System32\\lsass.exe" and CallTrace has_any ("dbghelp.dll","dbgcore.dll")
  | parse EventData with * 'SourceProcessGUID">' SourceProcessGUID "<" * 'SourceImage">' SourceImage "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace
  | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')  
queryPeriod: 1h
queryFrequency: 1h
triggerOperator: gt
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
relevantTechniques:
- T1003.001