KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 11 AD LSASS Credential Dump

Query

// =========================================================
// RULE-11 | AD-LSASS-Credential-Dump
// Description : LSASS credential dump detection — Event 4688
//               (Process Creation) CommandLine patterns that
//               indicate known LSASS dump tools or techniques:
//               - Mimikatz sekurlsa::logonpasswords
//               - ProcDump targeting lsass.exe
//               - comsvcs.dll MiniDump (living-off-the-land)
//               - TaskManager /dump (GUI dump)
//               - SafetyKatz, PPLdump, nanodump, lsassy
//               Cross-correlates with DeviceProcessEvents
//               (MDE/Defender for Endpoint) for higher
//               fidelity when available.
// Severity    : Critical (any match)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1003.001 — LSASS Memory
// Tables      : SecurityEvent, DeviceProcessEvents (optional)
// =========================================================

let LookBack = 15m;

// LSASS dump command line patterns
let LSASSPatterns = dynamic([
    "sekurlsa::", "logonpasswords", "lsadump::",
    "procdump", "lsass.exe",
    "comsvcs", "MiniDump",
    "Out-Minidump", "Invoke-Mimikatz",
    "SafetyKatz", "ppldump", "nano",
    "lsass.dmp", "lsass.zip",
    "rundll32.*comsvcs",
    "taskmgr.*lsass"
]);

// SecurityEvent-based detection (requires CommandLine logging)
let SE_LSASSDump = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4688
    | where isnotempty(CommandLine)
    | where CommandLine has_any (LSASSPatterns)
    | extend
        Source      = "SecurityEvent_4688",
        Actor       = SubjectUserName,
        ActorDomain = SubjectDomainName,
        Process     = NewProcessName,
        CmdLine     = CommandLine,
        Host        = Computer;

// DeviceProcessEvents from MDE (richer detail)
let MDE_LSASSDump = DeviceProcessEvents
    | where TimeGenerated > ago(LookBack)
    | where ProcessCommandLine has_any (LSASSPatterns)
        or FileName in~ ("procdump.exe", "procdump64.exe", "nanodump.exe",
                          "ppldump.exe", "safetykatz.exe", "mimikatz.exe",
                          "lsassy.exe", "pypykatz.exe")
    | extend
        Source      = "MDE_DeviceProcessEvents",
        Actor       = InitiatingProcessAccountName,
        ActorDomain = InitiatingProcessAccountDomain,
        Process     = FileName,
        CmdLine     = ProcessCommandLine,
        Host        = DeviceName;

union SE_LSASSDump, MDE_LSASSDump
| extend
    TargetLSASS = CmdLine has "lsass",
    Technique   = case(
        CmdLine has "sekurlsa::",        "Mimikatz_sekurlsa",
        CmdLine has "comsvcs",           "comsvcs_MiniDump_LOTL",
        CmdLine has "procdump",          "ProcDump_LSASS",
        CmdLine has "Out-Minidump",      "PowerSploit_Out-Minidump",
        CmdLine has "lsadump::",         "Mimikatz_lsadump",
        CmdLine has "ppldump",           "PPLdump_PPL_Bypass",
        CmdLine has "nanodump",          "NanoDump",
        "Generic_LSASS_Access"
    )
| extend
    Severity = "Critical",
    WhySuspicious = strcat(
        "LSASS_Dump_Pattern: ", Technique, "; ",
        "Actor: ", Actor, "; ",
        "CmdLine: ", CmdLine
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    Actor,
    ActorDomain,
    Process,
    Technique,
    CmdLine,
    Host,
    Source
| order by TimeGenerated desc

Explanation

This query is designed to detect potential security threats related to the dumping of credentials from the LSASS (Local Security Authority Subsystem Service) process on Windows systems. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify suspicious activities that may indicate an attempt to dump credentials from the LSASS process, which is a common technique used by attackers to extract sensitive information like passwords.

  2. Detection Patterns: It looks for specific command-line patterns and tools known to be associated with LSASS credential dumping, such as Mimikatz, ProcDump, and other similar tools.

  3. Data Sources: The query examines two main data sources:

    • SecurityEvent: Specifically, Windows Event ID 4688, which logs process creation events. It checks for command lines that match known LSASS dump patterns.
    • DeviceProcessEvents: From Microsoft Defender for Endpoint (MDE), which provides richer details about process activities. It checks for both command-line patterns and specific file names of known dumping tools.

  4. Time Frame: The query runs every 15 minutes, looking back over the past 15 minutes to catch recent activities.

  5. Severity: Any match found by the query is considered critical, indicating a high likelihood of malicious activity.

  6. Output: The results include details such as the time of the event, the severity, why the activity is suspicious, the actor (user) involved, the command line used, the host (computer) where it occurred, and the source of the data.

  7. Technique Identification: It categorizes the detected technique based on the command line used, such as "Mimikatz_sekurlsa" or "ProcDump_LSASS", providing more context on the nature of the threat.

  8. Sorting: The results are ordered by the time the events were generated, with the most recent events shown first.

Overall, this query is a security monitoring tool used to detect and alert on potential credential dumping activities targeting the LSASS process, which is a critical security concern in protecting sensitive information on Windows systems.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEventDeviceProcessEvents

Keywords

SecurityEventDeviceProcessEventsLSASSMimikatzProcDumpMiniDumpTaskManagerSafetyKatzPPLdumpNanodumpLSASSYMITRE

Operators

letdynamicagowhereisnotemptyhas_anyextendin~unionhascasestrcatprojectorder by

Actions