forked from SEVENP/Sentinel-Queries
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDevice-NewHashAccessingLSASS.kql
37 lines (36 loc) · 1.35 KB
/
Device-NewHashAccessingLSASS.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
//Detect when a process with a hash not previously seen before in your environment accesses lsass.exe via an open process API call
//Microsoft Sentinel query
let knownhashes=
DeviceEvents
| where TimeGenerated > ago(30d) and TimeGenerated < ago (1d)
| where ActionType == "OpenProcessApiCall"
| where FileName == "lsass.exe"
| distinct InitiatingProcessSHA256;
DeviceEvents
| where TimeGenerated > ago (1d)
| where ActionType == "OpenProcessApiCall"
| where FileName == "lsass.exe"
| where InitiatingProcessSHA256 !in (knownhashes)
| extend DesiredAccess = tostring(AdditionalFields.DesiredAccess)
| distinct
DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
DesiredAccess
//Detect when a process with a hash not previously seen before in your environment accesses lsass.exe via an open process API call
//Advanced Hunting query
let knownhashes=
DeviceEvents
| where Timestamp > ago(30d) and Timestamp < ago (1d)
| where ActionType == "OpenProcessApiCall"
| where FileName == "lsass.exe"
| distinct InitiatingProcessSHA256;
DeviceEvents
| where Timestamp > ago (1d)
| where ActionType == "OpenProcessApiCall"
| where FileName == "lsass.exe"
| where InitiatingProcessSHA256 !in (knownhashes)
| distinct DeviceName,
InitiatingProcessAccountName,
InitiatingProcessCommandLine,
AdditionalFields