What Changed
Added three advanced hunting queries that detect LSASS credential dumping by focusing on behavioral “physics” rather than fragile timing heuristics or static tool signatures.
Detection Logic
HighVolumeLsassMemoryRead: Detects processes extracting >40MB from LSASS memory via ReadProcessMemory API. Uses cryptographic whitelisting and defeats handle hijacking evasions by tracking physical bytes copied at kernel level.
SuspiciousLsassAccessRequest: Flags non-SYSTEM accounts requesting privileged access masks (PROCESS_VM_READ, PROCESS_ALL_ACCESS) against LSASS. Catches dumping intent even if memory read fails or is delayed to evade correlation rules.
LsassAccessFromUnbackedMemory: Leverages Sysmon Event ID 10 CallTrace analysis to detect LSASS access from unbacked memory regions (process hollowing/shellcode injection). Legitimate tools use file-backed DLLs; attackers use in-memory execution.
MITRE Mapping
- T1003.001 (OS Credential Dumping: LSASS Memory) — All three queries target this technique across different attack vectors
These queries address critical gaps where existing detections fail against modern evasion techniques including privilege escalation, handle hijacking, and binary renaming.
Affected Files
Hunting Queries/Microsoft 365 Defender/Credential Access/HighVolumeLsassMemoryRead.yaml
Hunting Queries/Microsoft 365 Defender/Credential Access/SuspiciousLsassAccessRequest.yaml
Hunting Queries/WindowsEvent/LsassAccessFromUnbackedMemory.yaml