Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. LSASS Credential Dumping with Procdump

LSASS Credential Dumping with Procdump

Back
Idc332b840-61e4-462e-a201-0e2d69bad45d
RulenameLSASS Credential Dumping with Procdump
DescriptionThis query was originally published in the threat analytics report, “Exchange Server zero-days exploited in the wild”.

In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:

1. CVE-2021-26855

2. CVE-2021-26857

3. CVE-2021-26858

4. CVE-2021-27065

The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts.

More queries related to this threat can be found under the See also section of this page.

Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
SeverityHigh
TacticsCredentialAccess
TechniquesT1003
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml
Version1.0.0
Arm templatec332b840-61e4-462e-a201-0e2d69bad45d.json
Deploy To Azure
DeviceProcessEvents 
| where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or 
// Looking for Accepteula flag or Write a dump file with all process memory
(ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma"))
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")

relevantTechniques:
- T1003
name: LSASS Credential Dumping with Procdump
requiredDataConnectors:
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
triggerThreshold: 0
id: c332b840-61e4-462e-a201-0e2d69bad45d
tactics:
- CredentialAccess
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml
queryPeriod: 1h
kind: Scheduled
tags:
- Exchange Server
- Zero-day
- Procdump
- Credential Dumping
- LSASS
queryFrequency: 1h
severity: High
status: Available
description: |
  This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
  In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
  1. CVE-2021-26855
  2. CVE-2021-26857
  3. CVE-2021-26858
  4. CVE-2021-27065
  The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts.
  More queries related to this threat can be found under the See also section of this page.
  Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/  
query: |
  DeviceProcessEvents 
  | where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or 
  // Looking for Accepteula flag or Write a dump file with all process memory
  (ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma"))
  | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
  | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c332b840-61e4-462e-a201-0e2d69bad45d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c332b840-61e4-462e-a201-0e2d69bad45d')]",
      "properties": {
        "alertRuleTemplateName": "c332b840-61e4-462e-a201-0e2d69bad45d",
        "customDetails": null,
        "description": "This query was originally published in the threat analytics report, \"Exchange Server zero-days exploited in the wild\".\nIn early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:\n1. CVE-2021-26855\n2. CVE-2021-26857\n3. CVE-2021-26858\n4. CVE-2021-27065\nThe following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts.\nMore queries related to this threat can be found under the See also section of this page.\nReference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\n",
        "displayName": "LSASS Credential Dumping with Procdump",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml",
        "query": "DeviceProcessEvents \n| where (FileName has_any (\"procdump.exe\", \"procdump64.exe\") and ProcessCommandLine has \"lsass\") or \n// Looking for Accepteula flag or Write a dump file with all process memory\n(ProcessCommandLine has \"lsass.exe\" and (ProcessCommandLine has \"-accepteula\" or ProcessCommandLine contains \"-ma\"))\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "tags": [
          "Exchange Server",
          "Zero-day",
          "Procdump",
          "Credential Dumping",
          "LSASS"
        ],
        "techniques": [
          "T1003"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}