Asr Lsass Credential Theft Audited Query

# Rule : Detection of LSASS Credential Theft Audited ## Description This detection rule identifies audited events where attempts to steal credentials from the Local Security Authority Subsystem Service (LSASS) process are detected. LSASS is a critical process that handles security policy and user authentication. Malicious actors often target LSASS to extract credentials and escalate privileges. This rule focuses on identifying rare instances of processes attempting to access LSASS, as frequent attempts may indicate a targeted attack. This rule helps detect and audit suspicious processes interacting with LSASS, providing an early warning for potential credential theft activities. - [Detect and Block Credential Dumps with Defender for Endpoint](https://jeffreyappel.nl/detect-and-block-credential-dumps-with-defender-for-endpoint-attack-surface-reduction/) ## Detection Logic - Monitors `DeviceEvents` for events where: - The `ActionType` is "AsrLsassCredentialTheftAudited". - The `Timestamp` is within the last 30 days. - Summarizes the count of unique devices and rule hits by the `FileName` and `InitiatingProcessFileName`. - Filters for events where the count of unique devices is less than 3. - Sorts the results by the count of unique devices in descending order. ## Tags - Credential Theft - LSASS - Malware - Advanced Security Rules (ASR) - Suspicious Activity ## Search Query ```kql DeviceEvents | where ActionType == "AsrLsassCredentialTheftAudited" and Timestamp > ago(30d) //| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName | summarize Devicecount=dcount(DeviceName), RuleHits=count() by FileName, InitiatingProcessFileName | where Devicecount < 3 | sort by Devicecount desc ``` ## Notes This is very noisy rule

Explanation

Summary of the Query

Purpose: The query is designed to detect and audit attempts to steal credentials from the Local Security Authority Subsystem Service (LSASS) process. This is important because LSASS handles critical security functions, and malicious actors often target it to extract credentials and escalate privileges.

Detection Logic:

Monitor Events:
- Look for events in DeviceEvents where the ActionType is "AsrLsassCredentialTheftAudited".
- Consider only events that occurred within the last 30 days.
Summarize Data:
- Count the number of unique devices (Devicecount) and the total number of rule hits (RuleHits).
- Group the results by the FileName (the process attempting to access LSASS) and InitiatingProcessFileName (the parent process).
Filter Results:
- Only include events where the count of unique devices (Devicecount) is less than 3. This helps to focus on rare instances which might indicate a targeted attack.
Sort Results:
- Sort the summarized data by the count of unique devices in descending order to prioritize the most significant events.

Tags:

Credential Theft
LSASS
Malware
Advanced Security Rules (ASR)
Suspicious Activity

Notes:

The rule can generate a lot of noise, meaning it might produce many alerts that need to be reviewed.

Search Query:

DeviceEvents
| where ActionType == "AsrLsassCredentialTheftAudited" and Timestamp > ago(30d)
| summarize Devicecount=dcount(DeviceName), RuleHits=count() by FileName, InitiatingProcessFileName 
| where Devicecount < 3
| sort by Devicecount desc

Key Points:

This query helps in early detection of potential credential theft activities by monitoring and summarizing suspicious interactions with the LSASS process.
It focuses on rare events to reduce false positives and highlight potential targeted attacks.

KQL Search