Query Details
HUNT 22 AD LSASS Access Attempts 30d
Query
// =========================================================
// HUNT-22 | AD-LSASS-Access-Attempts-30d
// Description : Hunts for process-level and handle-level
// access to lsass.exe using SecurityEvent
// (4656 sensitive handle request, 4663 object
// access on process objects) and DeviceEvents
// (MDE LSASS access telemetry). Surfaces
// non-standard processes accessing LSASS that
// are indicative of Mimikatz, LSASS memory
// dumping, or in-memory injection attacks.
// Period : 30 days
// Use Case : Credential dumping detection, Mimikatz
// derivative hunting, LSASS injection
// Tables : SecurityEvent, DeviceEvents (MDE if available)
// =========================================================
let Period = 30d;
// Known legitimate LSASS accessors (reduce noise)
let LegitLSASSAccessors = dynamic([
"\\windows\\system32\\svchost.exe",
"\\windows\\system32\\taskmgr.exe",
"\\windows\\system32\\wininit.exe",
"\\windows\\system32\\csrss.exe",
"\\windows\\system32\\ntoskrnl.exe",
"\\windows\\system32\\services.exe",
"\\windows\\system32\\smss.exe",
"\\windows\\system32\\lsm.exe",
"\\windows\\system32\\winlogon.exe",
"\\windows\\system32\\logonui.exe",
"\\windows\\system32\\dwm.exe",
"\\windows\\system32\\msiexec.exe",
"\\windows\\system32\\spoolsv.exe",
"\\windows\\system32\\msdtc.exe",
"\\windows\\ccm\\ccmexec.exe",
"\\program files\\microsoft monitoring agent"
]);
// SecurityEvent: Sensitive handle to LSASS (4656) and object access (4663)
let LSASSHandles = SecurityEvent
| where TimeGenerated > ago(Period)
| where EventID in (4656, 4663)
| where ObjectType == "Process"
| where ObjectName has "lsass"
| where not(ProcessName has_any (LegitLSASSAccessors))
| extend
AccessingProcess = tolower(ProcessName),
Actor = strcat(SubjectDomainName, "\\", SubjectUserName),
AccessTypes = AccessMask,
EventSource = "SecurityEvent_Handle";
// DeviceEvents: MDE LSASS access (if MDE is deployed)
let LSASSEventsMDE = union isfuzzy=true (DeviceEvents
| where TimeGenerated > ago(Period)
| where ActionType in ("LsassProcessAccess", "CreateRemoteThread",
"NtAllocateVirtualMemory", "QueueUserAPC")
| where FileName =~ "lsass.exe" or InitiatingProcessFileName =~ "lsass.exe"
| where not(tolower(InitiatingProcessFolderPath) has_any (LegitLSASSAccessors))
| extend
AccessingProcess = tolower(InitiatingProcessFileName),
Actor = InitiatingProcessAccountName,
AccessTypes = ActionType,
Computer = DeviceName,
EventSource = "MDE_DeviceEvent"),
(print _placeholder = "" | where 1==0);
// Combine both sources
LSASSHandles
| project TimeGenerated, AccessingProcess, Actor, AccessTypes, Computer, EventSource
| union (LSASSEventsMDE
| project TimeGenerated, AccessingProcess, Actor, AccessTypes, Computer, EventSource)
| summarize
TotalAccessEvents = count(),
AccessMethods = make_set(AccessTypes, 10),
AccessingProcesses = make_set(AccessingProcess, 10),
Actors = make_set(Actor, 10),
EventSources = make_set(EventSource, 3),
FirstAccess = min(TimeGenerated),
LastAccess = max(TimeGenerated)
by Computer
| extend
HasMDECorroboration = EventSources has "MDE_DeviceEvent",
KnownDumpTool = AccessingProcesses has_any (
"procdump", "sqldumper", "rundll32",
"powershell", "cmd", "wmic",
"task manager", "procmon", "comsvcs"
)
| extend
RiskScore = (TotalAccessEvents * 10)
+ iff(HasMDECorroboration, 30, 0)
+ iff(KnownDumpTool, 40, 0),
RiskLevel = case(
HasMDECorroboration and KnownDumpTool, "Critical - LSASS_Dump_Confirmed",
KnownDumpTool, "High - Known_Dump_Tool_Accessed_LSASS",
HasMDECorroboration, "High - MDE_LSASS_Access_Alerted",
TotalAccessEvents >= 3, "Medium - Repeated_LSASS_Handle_Access",
"Medium - Single_LSASS_Handle_Access"
)
| project
Computer,
RiskLevel,
RiskScore,
HasMDECorroboration,
KnownDumpTool,
TotalAccessEvents,
AccessingProcesses,
Actors,
AccessMethods,
EventSources,
FirstAccess,
LastAccess
| order by RiskScore desc
Explanation
This query is designed to detect suspicious access attempts to the lsass.exe process on Windows systems over the past 30 days. The lsass.exe process is critical for handling security and authentication, and unauthorized access to it can indicate malicious activities such as credential dumping or memory injection attacks.
Here's a simplified breakdown of what the query does:
-
Define Known Legitimate Accessors: It lists processes that are known to legitimately access
lsass.exeto reduce false positives. -
Check Security Events: It examines security events (specifically event IDs 4656 and 4663) to identify processes attempting to access
lsass.exethat are not in the list of legitimate accessors. -
Check Device Events: If Microsoft Defender for Endpoint (MDE) is available, it checks for telemetry data indicating access to
lsass.exeusing specific actions likeCreateRemoteThreadorNtAllocateVirtualMemory. -
Combine Data: It combines data from both security events and device events to get a comprehensive view of access attempts.
-
Summarize Findings: The query summarizes the data by computer, counting the total number of access events, listing the methods and processes involved, and identifying the actors (users) responsible.
-
Risk Assessment: It calculates a risk score based on the number of access events, whether corroboration from MDE is present, and if known dumping tools were used. It assigns a risk level ranging from "Medium" to "Critical" based on these factors.
-
Output: The results are ordered by risk score, showing the computer name, risk level, risk score, and other relevant details about the access attempts.
Overall, this query helps security analysts identify and prioritize potential security threats related to unauthorized access to lsass.exe.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators