Rule : Detection of LSASS Credential Theft Audited
Asr Lsass Credential Theft Audited Query
Query
DeviceEvents
| where ActionType == "AsrLsassCredentialTheftAudited" and Timestamp > ago(30d)
//| project BlockedProcess=FileName, ParentProcess=InitiatingProcessFileName, DeviceName
| summarize Devicecount=dcount(DeviceName), RuleHits=count() by FileName, InitiatingProcessFileName
| where Devicecount < 3
| sort by Devicecount descAbout this query
Explanation
Summary of the Query
Purpose: The query is designed to detect and audit attempts to steal credentials from the Local Security Authority Subsystem Service (LSASS) process. This is important because LSASS handles critical security functions, and malicious actors often target it to extract credentials and escalate privileges.
Detection Logic:
-
Monitor Events:
- Look for events in
DeviceEventswhere theActionTypeis "AsrLsassCredentialTheftAudited". - Consider only events that occurred within the last 30 days.
- Look for events in
-
Summarize Data:
- Count the number of unique devices (
Devicecount) and the total number of rule hits (RuleHits). - Group the results by the
FileName(the process attempting to access LSASS) andInitiatingProcessFileName(the parent process).
- Count the number of unique devices (
-
Filter Results:
- Only include events where the count of unique devices (
Devicecount) is less than 3. This helps to focus on rare instances which might indicate a targeted attack.
- Only include events where the count of unique devices (
-
Sort Results:
- Sort the summarized data by the count of unique devices in descending order to prioritize the most significant events.
Tags:
- Credential Theft
- LSASS
- Malware
- Advanced Security Rules (ASR)
- Suspicious Activity
Notes:
- The rule can generate a lot of noise, meaning it might produce many alerts that need to be reviewed.
Search Query:
DeviceEvents
| where ActionType == "AsrLsassCredentialTheftAudited" and Timestamp > ago(30d)
| summarize Devicecount=dcount(DeviceName), RuleHits=count() by FileName, InitiatingProcessFileName
| where Devicecount < 3
| sort by Devicecount desc
Key Points:
- This query helps in early detection of potential credential theft activities by monitoring and summarizing suspicious interactions with the LSASS process.
- It focuses on rare events to reduce false positives and highlight potential targeted attacks.
Details

Ali Hussein
Released: July 17, 2024
Tables
DeviceEvents
Keywords
DevicesSecurityCredentialTheftMalwareSuspiciousActivity
Operators
==>ago()summarizedcount()count()bywheresort by