The procdump-lsass-credentials rule detects adversaries potentially exfiltrating credentials by dumping the LSASS process memory, which is a common technique used to extract sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft attempts early in the attack lifecycle.
KQL Query
DeviceProcessEvents | where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or
// Looking for Accepteula flag or Write a dump file with all process memory
(ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma"))
id: 0b985ed8-aacd-41ba-9b17-489be9224159
name: procdump-lsass-credentials
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Credential Access
query: |
DeviceProcessEvents | where (FileName has_any ("procdump.exe", "procdump64.exe") and ProcessCommandLine has "lsass") or
// Looking for Accepteula flag or Write a dump file with all process memory
(ProcessCommandLine has "lsass.exe" and (ProcessCommandLine has "-accepteula" or ProcessCommandLine contains "-ma"))
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Procdump to dump memory from the lsass.exe process as part of a legitimate credential extraction task for security analysis.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., ProcDump.exe or Mimikatz.exe) or where the user is a member of the Administrators group and the task is documented in a ticketing system.
Scenario: A scheduled job runs PowerShell scripts that use Invoke-Mimikatz or similar tools to extract credentials for audit purposes.
Filter/Exclusion: Exclude events where the process is initiated by a scheduled task with a known name (e.g., CredentialAuditJob) and the user has elevated privileges.
Scenario: A Windows Update or Group Policy deployment triggers a temporary elevation of privileges, leading to a legitimate dump of lsass.exe for system integrity checks.
Filter/Exclusion: Exclude processes initiated by system services (e.g., svchost.exe, wuauserv.exe) or during known update windows.
Scenario: A security tool such as Cobalt Strike or Mimikatz is used by the internal security team to simulate credential theft during a red team exercise.
Filter/Exclusion: Exclude processes running under a security team user account or where the process name matches known red team tools (e.g., mimikatz.exe, cobaltstrike.exe).
Scenario: A third-party application (e.g., Microsoft Endpoint Detection and Response (EDR)) performs a memory dump of lsass.exe as part of its monitoring or forensic capabilities.
Filter/Exclusion: Exclude processes where the parent process is a known EDR or security monitoring tool (e.g