Share via

Azure Sentinel - Query help

karthik palani 1,036 Reputation points
2022-02-15T14:33:19.247+00:00

Dear All,

I need to write query to hunt for OS Credential Dumping: NTDS. T1003.003, kindly help if you got any information

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,225 questions
Accepted answer
  1. JamesTran-MSFT 36,811 Reputation points Microsoft Employee
    2022-02-15T23:39:26.957+00:00

    @karthik palani
    Thank you for your post!

    When it comes to a KQL query hunting for OS Credential Dumping, I found a Kusto Query Internals: Hunting TTPs with Azure Sentinel document that should point you in the right direction.

    Kusto Query Internals: Hunting TTPs with Azure Sentinel (Page 13):
    Once you have all the relevant event logs as described in the PDF file on Page 13, you can create a KQL query for it. 

    // T1003 - Credential Dumping  
// Reference: https://attack.mitre.org/techniques/T1003/  
let timeframe = 7d;  
SecurityEvent  
| where TimeGenerated >= ago(timeframe)  
| where EventID == 4663 and ObjectName == "\\Device\\HarddiskVolume2\\Win dows\\System32\\lsass.exe"

    Querying the ''User'' value in the AccountType column: 

    // T1003 - Credential Dumping  
// Reference: https://attack.mitre.org/techniques/T1003/  
let timeframe = 7d;  
SecurityEvent  
| where TimeGenerated >= ago(timeframe)  
| where EventID == 4663 and ObjectName == "\\Device\\HarddiskVolume2\\Win dows\\System32\\lsass.exe"  
| where AccountType == "User"

    Querying the EventData column: 

    // T1003 - Credential Dumping  
// Reference: https://attack.mitre.org/techniques/T1003/  
let timeframe = 7d;  
SecurityEvent  
| where TimeGenerated >= ago(timeframe)  
| where EventID == 4663 and ObjectName == "\\Device\\HarddiskVolume2\\Win dows\\System32\\lsass.exe"  
| where AccountType == "User"  
| project EventData

    Querying for the Proc Dump: 

    search in (SecurityEvent) "ProcDump"  
  
// Search for ProcDump use  
let timeframe = 7d;  
SecurityEvent  
| where TimeGenerated >= ago(timeframe)  
| where EventID == 4688 and NewProcessName == "C:\\Users\\Bob\\Desk top\\Procdump\\procdump64.exe"  
| project TimeGenerated, Account, SubjectLogonId, CommandLine, NewProcessName  
| sort by TimeGenerated desc

    Additional Links:
    OS Credential Dumping - Mitre ATT&CK
    Detecting credential theft through memory access modelling with Microsoft Defender ATP
    Kusto Query Language in Microsoft Sentinel

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chiheb Chebbi 1 Reputation point MVP
    2022-03-14T21:36:40.067+00:00

    OS Credential Dumping: NTDS. T1003.003 can be performed using many methods. You can find many emulations here. T1003.md

    For example to detect Create Volume Shadow Copy with NTDS.dit you can use this query 

    Sysmon_Parser // I am using a Sysmon Parser
| where process_command_line has_any ("copy","shadow","create","delete")
| where EventID == 1
| where process_path has "vssadmin"
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.