Query Details

Rule : Detection of LSASS Credential Theft Audited

Asr Lsass Credential Theft Audited Query

Query

DeviceEvents
| where ActionType == "AsrLsassCredentialTheftAudited" and Timestamp > ago(30d)
//| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName
| summarize Devicecount=dcount(DeviceName), RuleHits=count() by FileName, InitiatingProcessFileName 
| where Devicecount < 3
| sort by Devicecount desc

About this query

Explanation

Summary of the Query

Purpose: The query is designed to detect and audit attempts to steal credentials from the Local Security Authority Subsystem Service (LSASS) process. This is important because LSASS handles critical security functions, and malicious actors often target it to extract credentials and escalate privileges.

Detection Logic:

  1. Monitor Events:

    • Look for events in DeviceEvents where the ActionType is "AsrLsassCredentialTheftAudited".
    • Consider only events that occurred within the last 30 days.
  2. Summarize Data:

    • Count the number of unique devices (Devicecount) and the total number of rule hits (RuleHits).
    • Group the results by the FileName (the process attempting to access LSASS) and InitiatingProcessFileName (the parent process).
  3. Filter Results:

    • Only include events where the count of unique devices (Devicecount) is less than 3. This helps to focus on rare instances which might indicate a targeted attack.
  4. Sort Results:

    • Sort the summarized data by the count of unique devices in descending order to prioritize the most significant events.

Tags:

  • Credential Theft
  • LSASS
  • Malware
  • Advanced Security Rules (ASR)
  • Suspicious Activity

Notes:

  • The rule can generate a lot of noise, meaning it might produce many alerts that need to be reviewed.

Search Query:

DeviceEvents
| where ActionType == "AsrLsassCredentialTheftAudited" and Timestamp > ago(30d)
| summarize Devicecount=dcount(DeviceName), RuleHits=count() by FileName, InitiatingProcessFileName 
| where Devicecount < 3
| sort by Devicecount desc

Key Points:

  • This query helps in early detection of potential credential theft activities by monitoring and summarizing suspicious interactions with the LSASS process.
  • It focuses on rare events to reduce false positives and highlight potential targeted attacks.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 17, 2024

Tables

DeviceEvents

Keywords

DevicesSecurityCredentialTheftMalwareSuspiciousActivity

Operators

==>ago()summarizedcount()count()bywheresort by

Actions

GitHub