Adversaries may dump credentials from the LSASS process to exfiltrate sensitive account information. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential credential theft and limit lateral movement in their environment.
KQL Query
let lookuptime = 30d;
DeviceEvents
| where Timestamp >ago(lookuptime)
| where ActionType == "OpenProcessApiCall"
| where FileName =~ "lsass.exe"
| project ApiCallTimestamp = Timestamp, InitiatingProcessFileName=tolower(InitiatingProcessFileName), InitiatingProcessCommandLine=tolower(InitiatingProcessCommandLine), InitiatingProcessId, InitiatingProcessCreationTime=tolower(InitiatingProcessCreationTime), InitiatingProcessParentFileName=tolower(InitiatingProcessParentFileName)
| join (
DeviceFileEvents
| where ActionType == "FileCreated"
| where Timestamp >ago(lookuptime)
| project FileEventTimestamp = Timestamp, InitiatingProcessFileName=tolower(InitiatingProcessFileName), InitiatingProcessCommandLine=tolower(InitiatingProcessCommandLine), InitiatingProcessId, InitiatingProcessCreationTime=tolower(InitiatingProcessCreationTime), InitiatingProcessParentFileName=tolower(InitiatingProcessParentFileName), FileActionType = ActionType, FilePath = FolderPath, ModifiedFileName = FileName
) on InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime
| where FileEventTimestamp between (ApiCallTimestamp .. (ApiCallTimestamp + 1m))
| project ApiCallTimestamp, FileEventTimestamp, FilePath,FileActionType, ModifiedFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessParentFileName
id: a50138af-4bad-4615-9e55-ced36a836806
name: lsass-credential-dumping
description: |
This query looks for signs of credential dumping based on process activity instead of targeting process names.
Author: Jouni Mikkola
More info: https://threathunt.blog/lsass-credential-dumping/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceFileEvents
tactics:
- CredentialAccess
relevantTechniques:
- T1003.001
query: |
let lookuptime = 30d;
DeviceEvents
| where Timestamp >ago(lookuptime)
| where ActionType == "OpenProcessApiCall"
| where FileName =~ "lsass.exe"
| project ApiCallTimestamp = Timestamp, InitiatingProcessFileName=tolower(InitiatingProcessFileName), InitiatingProcessCommandLine=tolower(InitiatingProcessCommandLine), InitiatingProcessId, InitiatingProcessCreationTime=tolower(InitiatingProcessCreationTime), InitiatingProcessParentFileName=tolower(InitiatingProcessParentFileName)
| join (
DeviceFileEvents
| where ActionType == "FileCreated"
| where Timestamp >ago(lookuptime)
| project FileEventTimestamp = Timestamp, InitiatingProcessFileName=tolower(InitiatingProcessFileName), InitiatingProcessCommandLine=tolower(InitiatingProcessCommandLine), InitiatingProcessId, InitiatingProcessCreationTime=tolower(InitiatingProcessCreationTime), InitiatingProcessParentFileName=tolower(InitiatingProcessParentFileName), FileActionType = ActionType, FilePath = FolderPath, ModifiedFileName = FileName
) on InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime
| where FileEventTimestamp between (ApiCallTimestamp .. (ApiCallTimestamp + 1m))
| project ApiCallTimestamp, FileEventTimestamp, FilePath,FileActionType, ModifiedFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessParentFileName
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled Credential Backup Job
Description: A legitimate scheduled task runs a script to back up credentials for audit or compliance purposes.
Filter/Exclusion: process.name in ("backupscript.exe", "credbackup.exe") or process.parent_process.name in ("task scheduler", "schtasks.exe")
Scenario: Admin Performing Credential Export for Troubleshooting
Description: An administrator uses a tool like mimikatz to extract credentials for troubleshooting a service or application that is failing to authenticate.
Filter/Exclusion: process.user in ("admin_user", "domain_admin") and process.name in ("mimikatz.exe", "cmd.exe") with a note on the purpose of the activity.
Scenario: LSASS Dump via PowerShell for Forensic Analysis
Description: A security analyst uses PowerShell to dump LSASS memory for forensic analysis, such as during an incident response.
Filter/Exclusion: process.name in ("powershell.exe", "pwsh.exe") and process.user in ("security_analyst", "domain_admin") with a note on the analyst’s role.
Scenario: Credential Synchronization via Active Directory Tools
Description: A tool like adsiedit.msc or repadmin.exe is used to synchronize credentials across domain controllers during a routine replication check.
Filter/Exclusion: process.name in ("adsiedit.exe", "repadmin.exe") or process.parent_process.name in ("explorer.exe", "services.exe")
Scenario: Automated Credential Rotation via Management Tools
Description: A management tool like Azure AD Connect or Password Sync automatically rotates credentials during a scheduled credential synchronization task.
Filter/Exclusion: `process.name in (“AzureADConnect.exe”, ”