Credential Access (TA0006)(external, opens in a new tab or window)
text code block:from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _version, _index | where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and Target.process.name == "lsass.exe" and process.executable is not null and // Noisy patterns not to_lower(process.executable) like """c:\\program files\\*.exe""" and not to_lower(process.executable) like """c:\\program files (x86)\\*.exe""" and not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\MsMpEng.exe""" and not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe""" /* normalize process paths to reduce known random patterns in process.executable */ | eval Esql.process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") // Group by process path | stats Esql.access_count = count(*), Esql.count_distinct_hosts = count_distinct(host.id), Esql.host_id_values = VALUES(host.id), Esql.process_pid_values = VALUES(process.entity_id), Esql.data_stream_namespace.values = VALUES(data_stream.namespace), Esql.user_name_values = VALUES(user.name) by Esql.process_path // Limit to rare instances | where Esql.count_distinct_hosts == 1 and Esql.access_count <= 3 | keep Esql.*
Install detection rules in Elastic Security
Detect LSASS Process Access via Windows API in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).