KQL Search

Query Details

HomeAI ToolsDevice Query

Device New Hash Accessing LSASS

Query

//Detect when a process with a hash not previously seen before in your environment accesses lsass.exe via an open process API call

//Data connector required for this query - M365 Defender - Device* tables

//Microsoft Sentinel query
let knownhashes=
    DeviceEvents
    | where TimeGenerated > ago(30d) and TimeGenerated < ago (1d)
    | where ActionType == "OpenProcessApiCall"
    | where FileName == "lsass.exe"
    | distinct InitiatingProcessSHA256;
DeviceEvents
| where TimeGenerated > ago (1d)
| where ActionType == "OpenProcessApiCall"
| where FileName == "lsass.exe"
| where InitiatingProcessSHA256 !in (knownhashes)
| extend DesiredAccess = tostring(AdditionalFields.DesiredAccess)
| distinct
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessCommandLine,
    DesiredAccess

//Detect when a process with a hash not previously seen before in your environment accesses lsass.exe via an open process API call

//Data connector required for this query - Advanced Hunting license

//Advanced Hunting query
let knownhashes=
    DeviceEvents
    | where Timestamp > ago(30d) and Timestamp < ago (1d)
    | where ActionType == "OpenProcessApiCall"
    | where FileName == "lsass.exe"
    | distinct InitiatingProcessSHA256;
DeviceEvents
| where Timestamp > ago (1d)
| where ActionType == "OpenProcessApiCall"
| where FileName == "lsass.exe"
| where InitiatingProcessSHA256 !in (knownhashes)
| distinct DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessCommandLine,
    AdditionalFields

Explanation

The query is looking for instances where a process with a previously unseen hash accesses the lsass.exe file through an open process API call. It retrieves data from the DeviceEvents table and filters for events within a specific time range and with specific criteria. The query then compares the hash of the initiating process with a list of known hashes to identify any new or unknown processes. The results include information about the device, the initiating process account name, the command line used, and additional fields.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

DeviceEvents

Keywords

DesiredAccess

Operators

DesiredAccess

Actions