LSASS Credential Dumping with Procdump
Id | c332b840-61e4-462e-a201-0e2d69bad45d |
Rulename | LSASS Credential Dumping with Procdump |
Description | This query was originally published in the threat analytics report, “Exchange Server zero-days exploited in the wild”. In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 2. CVE-2021-26857 3. CVE-2021-26858 4. CVE-2021-27065 The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts. More queries related to this threat can be found under the See also section of this page. Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ |
Severity | High |
Tactics | CredentialAccess |
Techniques | T1003 |
Required data connectors | MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml |
Version | 1.0.0 |
Arm template | c332b840-61e4-462e-a201-0e2d69bad45d.json |
DeviceProcessEvents
| where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or
// Looking for Accepteula flag or Write a dump file with all process memory
(ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma"))
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
id: c332b840-61e4-462e-a201-0e2d69bad45d
queryFrequency: 1h
tags:
- Exchange Server
- Zero-day
- Procdump
- Credential Dumping
- LSASS
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
query: |
DeviceProcessEvents
| where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or
// Looking for Accepteula flag or Write a dump file with all process memory
(ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma"))
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
name: LSASS Credential Dumping with Procdump
status: Available
kind: Scheduled
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
severity: High
triggerOperator: gt
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
triggerThreshold: 0
queryPeriod: 1h
tactics:
- CredentialAccess
relevantTechniques:
- T1003
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c332b840-61e4-462e-a201-0e2d69bad45d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c332b840-61e4-462e-a201-0e2d69bad45d')]",
"properties": {
"alertRuleTemplateName": "c332b840-61e4-462e-a201-0e2d69bad45d",
"customDetails": null,
"description": "This query was originally published in the threat analytics report, \"Exchange Server zero-days exploited in the wild\".\nIn early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:\n1. CVE-2021-26855\n2. CVE-2021-26857\n3. CVE-2021-26858\n4. CVE-2021-27065\nThe following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts.\nMore queries related to this threat can be found under the See also section of this page.\nReference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\n",
"displayName": "LSASS Credential Dumping with Procdump",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml",
"query": "DeviceProcessEvents \n| where (FileName has_any (\"procdump.exe\", \"procdump64.exe\") and ProcessCommandLine has \"lsass\") or \n// Looking for Accepteula flag or Write a dump file with all process memory\n(ProcessCommandLine has \"lsass.exe\" and (ProcessCommandLine has \"-accepteula\" or ProcessCommandLine contains \"-ma\"))\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"tags": [
"Exchange Server",
"Zero-day",
"Procdump",
"Credential Dumping",
"LSASS"
],
"techniques": [
"T1003"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}