Detect Credential Dumping Activities

Identify LSASS memory access and credential extraction attempts using the join() funtion

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4@{ shape: processes, label: "Join" } 5@{ shape: processes, label: "Join" } 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result
logscale
#event_simpleName=ProcessRollup2
| (CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)
| ParentImageFileName!=/\\(powershell|cmd)\.exe$/i
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
| join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")
| table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])

Introduction

The join() function can be used to correlate multiple event types, enabling comprehensive detection of security incidents by combining process execution data with user context and process lineage information.

In this example, the join() function is used to detect potential credential dumping activities by correlating process execution events that target the Windows Local Security Authority Subsystem Service (LSASS) with user identity information and parent process details.

Example incoming data might look like this:

@timestamp#event_simpleNameaidImageFileNameCommandLineParentImageFileNameAuthenticationIDRawProcessIdUserNameSHA256HashData 
2025-11-05T10:15:00ZProcessRollup2aid123C:\Windows\System32\lsass.exelsass.exeC:\Windows\System32\services.exe0x12341001<no value><no value> 
2025-11-05T10:15:01ZUserIdentityaid123<no value><no value><no value><no value>0x1234<no value>john.doe<no value>
2025-11-05T10:15:02ZSyntheticProcessRollup2aid123<no value><no value><no value>0x12341001<no value>abc123hash 
2025-11-05T10:16:00ZProcessRollup2aid124C:\Tools\procdump.exeprocdump.exe -ma lsass.exe dump.dmpC:\Windows\explorer.exe0x56781002<no value><no value> 
2025-11-05T10:16:01ZUserIdentityaid124<no value><no value><no value><no value>0x5678<no value>jane.smith<no value>
2025-11-05T10:16:02ZSyntheticProcessRollup2aid124<no value><no value><no value>0x56781002<no value>def456hash 
2025-11-05T10:17:00ZProcessRollup2aid125C:\Temp\mimikatz.exemimikatz.exe sekurlsa::logonpasswordsC:\Windows\explorer.exe0x90121003<no value><no value> 
2025-11-05T10:17:01ZUserIdentityaid125<no value><no value><no value><no value>0x9012<no value>admin.user<no value>
2025-11-05T10:17:02ZSyntheticProcessRollup2aid125<no value><no value><no value>0x90121003<no value>ghi789hash 

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4@{ shape: processes, label: "Join" } 5@{ shape: processes, label: "Join" } 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    #event_simpleName=ProcessRollup2

    Filters for process execution events by selecting events where #event_simpleName equals ProcessRollup2.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4@{ shape: processes, label: "Join" } 5@{ shape: processes, label: "Join" } 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | (CommandLine=/mimikatz|procdump|lsass|sekurlsa/i OR ImageFileName=/\\(mimikatz|procdump|pwdump)\.exe$/i)

    Identifies potential credential dumping tools by matching known patterns in the CommandLine (such as mimikatz, procdump, or lsass references) or suspicious executables in the ImageFileName.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4@{ shape: processes, label: "Join" } 5@{ shape: processes, label: "Join" } 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | ParentImageFileName!=/\\(powershell|cmd)\.exe$/i

    Reduces false positives by excluding processes launched from standard command-line interfaces, focusing on potentially malicious executions from unexpected parent processes.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4@{ shape: processes, label: "Join" } 5@{ shape: processes, label: "Join" } 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])

    Enriches the detection by adding user context, joining with UserIdentity events on AuthenticationID to identify who initiated the suspicious process.

  6. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4@{ shape: processes, label: "Join" } 5@{ shape: processes, label: "Join" } 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 5 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | join({#event_simpleName=SyntheticProcessRollup2}, field=[aid, RawProcessId], include=[SHA256HashData], suffix="Parent")

    Further enriches the data by adding process hash information through a join with synthetic process data, using both aid and RawProcessId as join keys.

  7. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[/Filter/] 4@{ shape: processes, label: "Join" } 5@{ shape: processes, label: "Join" } 6@{ shape: win-pane, label: "Table" } result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> result style 6 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | table([aid, UserName, ImageFileName, CommandLine, ParentImageFileName, SHA256HashData])

    Creates a table displaying the findings in a structured format showing the relationship between suspicious processes, executing users, and process details.

  8. Event Result set.

Summary and Results

The query is used to detect potential credential dumping activities by identifying processes that attempt to access or dump LSASS memory, a common technique used in credential theft attacks.

This query is useful, for example, to detect and investigate potential credential theft attempts, insider threats, or post-exploitation activities in Windows environments.

Sample output from the incoming example data:

aidUserNameImageFileNameCommandLineParentImageFileNameSHA256HashData
aid124jane.smithC:\Tools\procdump.exeprocdump.exe -ma lsass.exe dump.dmpC:\Windows\explorer.exedef456hash
aid125admin.userC:\Temp\mimikatz.exemimikatz.exe sekurlsa::logonpasswordsC:\Windows\explorer.exeghi789hash

Note that each detected event includes the username of the account that executed the suspicious process, helping identify potential insider threats. The SHA256 hash of the process can be used for threat intelligence correlation and malware identification.