Detection rules › Kusto Query Language
LSASS Credential Dumping with Procdump
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild". In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links: 1. CVE-2021-26855 2. CVE-2021-26857 3. CVE-2021-26858 4. CVE-2021-27065 The following query looks for evidence of Procdump being used to dump credentials from LSASS, the Local Security Authentication Server. This might indicate an attacker has compromised user accounts. More queries related to this threat can be found under the See also section of this page. Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | 9001000 | Process activity (any) |
Stages and Predicates
Stage 1: source
DeviceProcessEvents
Stage 2: where
or
and
or
ProcessCommandLine contains "-ma"
ProcessCommandLine match "-accepteula"
ProcessCommandLine match "lsass.exe"
and
FileName match ["procdump.exe", "procdump64.exe"]
ProcessCommandLine match "lsass"
Stage 3: extend
Stage 4: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
FileName | match |
|
ProcessCommandLine | contains |
|
ProcessCommandLine | match |
|