Add hunting queries: Resilient LSASS credential dumping detection pack (3 queries)

[YounesA343]

Summary

Three new hunting queries covering resilient, behavioral detection of LSASS credential dumping. Existing queries in the repository often rely on brittle timing heuristics (e.g., LSASS access followed by a .dmp file write within 1 minute) or static tool names, both of which are trivial for modern threat actors to evade.

These queries shift the detection strategy from "Who" is doing the dumping to "How" the dumping physics and OS mechanics operate, providing high-certitude coverage against Mimikatz, NanoDump, Cobalt Strike, and BYOVD (Bring Your Own Vulnerable Driver) attacks.

Queries Added

1. Azure-Sentinel/Hunting Queries/Microsoft 365 Defender/Credential Access/HighVolumeLsassMemoryRead.yaml
Detects credential dumping by measuring the physical volume of memory extracted from the LSASS process. Malicious dumps require the full credential tables, triggering a massive ReadProcessMemory footprint (>40MB). This entirely bypasses attackers using DuplicateHandle (Handle Hijacking) or Get-System to evade standard alerting. Implements cryptographic whitelisting via DeviceFileCertificateInfo.

• Tables: DeviceEvents, DeviceFileCertificateInfo
• MITRE: T1003.001 (OS Credential Dumping: LSASS Memory) — Credential Access

2. Azure-Sentinel/Hunting Queries/Microsoft 365 Defender/Credential Access/SuspiciousLsassAccessRequest.yaml
Identifies unauthorized interactive user accounts (non-SYSTEM) explicitly requesting highly privileged access masks (like PROCESS_VM_READ or PROCESS_ALL_ACCESS / 0x1FFFFF) against the LSASS process. This flags credential dumping attempts even if the memory read ultimately fails or is deliberately delayed to evade time-based correlation. Implements cryptographic whitelisting via DeviceFileCertificateInfo.

• Tables: DeviceEvents, DeviceFileCertificateInfo
• MITRE: T1003.001 (OS Credential Dumping: LSASS Memory) — Credential Access

3. Azure-Sentinel/Hunting Queries/WindowsEvent/LsassAccessFromUnbackedMemory.yaml
A high-certitude query utilizing Sysmon Event ID 10 (ProcessAccess). It evaluates the CallTrace field for the UNKNOWN string when lsass.exe is targeted. Legitimate tools dump LSASS from file-backed DLLs on disk (e.g., dbghelp.dll), whereas attackers utilizing process hollowing or in-memory shellcode execution will originate from unbacked memory regions. This requires virtually zero allowlisting.

• Tables: WindowsEvent (Sysmon)
• MITRE: T1003.001 (OS Credential Dumping: LSASS Memory) — Credential Access

Performance & Triage Optimizations:

• Compute Efficiency: Rigorously optimized for Kusto clusters. Includes early isnotempty() filtering, String Operator Indexing (has), explicit type casting for Logic App safety, and strict left-side anti-joins utilizing deduplicated certificate arrays.

• Triage Ready: The output is heavily sanitized with explicit project-reorder pipelines. Included dynamic alertDetailsOverride to inject the suspect process and host directly into the SOC queue titles, reducing Tier 1 triage time.

  Change(s):

  • Added SuspiciousLsassAccessRequest.yaml to Hunting Queries/Microsoft 365 Defender/Credential Access/
  • Added HighVolumeLsassMemoryRead.yaml to Hunting Queries/Microsoft 365 Defender/Credential Access/
  • Added LsassAccessFromUnbackedMemory.yaml to Hunting Queries/WindowsEvent/
  • Includes comprehensive entity mappings (Host, Account, Process).
  • Implements alertDetailsOverride for scannable, dynamic SOC queue titles.

  Reason for Change(s):

  • Existing queries for LSASS dumping were largely based on brittle timing of access + file write, or static tool names, which are trivial signals to evade.
  • Attackers frequently rename binaries (e.g., mimikatz.exe to taskmgr.exe). These queries introduce strict cryptographic whitelisting via DeviceFileCertificateInfo to prevent evasion by renaming.
  • Introduces behavioral "Physics" (volume of memory read) and "Context" (unbacked memory call traces and non-system execution) to catch advanced injection and BYOVD techniques.

  Version Updated:

  • N/A (These are new hunting queries, versions set to 1.0.0).

  Testing Completed:

  • Yes. The queries were authored against DeviceEvents, DeviceFileCertificateInfo, and WindowsEvent (Sysmon) schemas. Validated against actual credential dumping logs to ensure zero false negatives, and tuned against enterprise EDR/Backup agent noise to ensure zero false positives.

  Checked that the validations are passing and have addressed any issues that are present:

  • Yes. Passed .script/tests/DetectionTemplateSchemaValidation locally. All schema requirements, strict type casting for entities, and YAML linting standards have been met.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds three new Microsoft Sentinel hunting queries focused on resilient, behavior-based detection of LSASS credential dumping, emphasizing OS mechanics over brittle timing/tool-name heuristics.

Changes:

• Added two Microsoft 365 Defender (MDE) hunting queries using access-mask and high-volume memory-read signals with certificate-based allowlisting.
• Added one WindowsEvent (Sysmon EID 10) hunting query detecting LSASS access originating from unbacked memory via CallTrace patterns.
• Included entity mappings, custom details, and alert formatting overrides in the new YAML templates.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 11 comments.

File	Description
Hunting Queries/WindowsEvent/LsassAccessFromUnbackedMemory.yaml	New Sysmon-based hunt for LSASS access from unbacked memory regions.
Hunting Queries/Microsoft 365 Defender/Credential Access/SuspiciousLsassAccessRequest.yaml	New MDE hunt for non-system accounts requesting privileged LSASS access masks with certificate allowlisting.
Hunting Queries/Microsoft 365 Defender/Credential Access/HighVolumeLsassMemoryRead.yaml	New MDE hunt for unusually large LSASS memory reads with certificate allowlisting.

[YounesA343]

Copilot suggestions reviewed. All items are implemented in the current code:

• Column names now match
• SourceImage added back into the final project
• Removed Severity and AlertDetailsOverride as these are hunting queries.