Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This query identifies processes extracting an abnormally large volume of memory (>40MB) from LSASS. By focusing on physical bytes copied rather than process names, it detects credential dumping even if the malicious process runs with SYSTEM privileges.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 2a7ce5d7-e478-404a-a0e3-fde6e96c92f1 |
| Tactics | CredentialAccess |
| Techniques | T1003.001 |
| Required Connectors | MicrosoftThreatProtection |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Credential%20Access/HighVolumeLsassMemoryRead.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊