Question Analysis

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine contains "lsass" | where ProcessCommandLine contains "dump" or ProcessCommandLine contains "minidump" or ProcessCommandLine contains "credential" or ProcessCommandLine contains "memory" | project Timestamp, DeviceName, AccountName, ProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(FileName) in ("powershell.exe", "pwsh.exe") | where tolower(ProcessCommandLine) has_any ("lsass", "procdump", "minidump", "out-minidump", "sekurlsa") | extend ScriptFile = extract(@"([\w\-\\.:]+\.ps1)", 1, ProcessCommandLine) | where isnotempty(ScriptFile) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ScriptFile | order by TimeGenerated desc

DeviceProcessEvents | where InitiatingProcessFileName == "powershell.exe" | where ProcessCommandLine has "lsass" | extend ScriptFileName = FileName

DeviceProcessEvents | where FileName in~ ("rundll32.exe","procdump.exe","procdump64.exe","werfault.exe","taskmgr.exe","powershell.exe","pwsh.exe","powershell_ise.exe") // Look for common lsass dump indicators | where ProcessCommandLine has_any ("comsvcs.dll","MiniDump","lsass","lsass.exe","procdump",".dmp","-ma") // Decide which command line to parse for the script: PowerShell's own CL or the initiator's CL | extend RawCL = tostring(iif(FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe"), ProcessCommandLine, InitiatingProcessCommandLine)) // Extract a .ps1 path/token, then just the script file name | extend ScriptPath = extract(@'(?i)([^\s"''<>|]+\.ps1)', 1, RawCL) | extend ScriptFile = extract(@'(?i)([^\\/:]+\.ps1)$', 1, ScriptPath) | where isnotempty(ScriptFile) | summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by ScriptFile | order by Count desc, LastSeen desc | take 1 | project ScriptFile

// Find PowerShell commands that reference lsass or procdump and extract invoked .ps1 script names let ps_cmds = DeviceProcessEvents | where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" // look for signs of lsass memory dumping or a script invocation | where ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "procdump" or ProcessCommandLine has_cs ".ps1" | extend ScriptName = extract(@"(?i)([^\\\/\s]+\.ps1)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, ScriptName; // Find PowerShell-launched .ps1 files (file events) let ps_files = DeviceFileEvents | where FileName endswith_cs ".ps1" and (InitiatingProcessFileName has_cs "powershell" or InitiatingProcessCommandLine has_cs "powershell") | extend ScriptName = FileName | project FileTimeGenerated = TimeGenerated, DeviceName, ScriptName, FolderPath, FileOriginUrl, InitiatingProcessCommandLine; // Correlate and show results ps_cmds | join kind=leftouter (ps_files) on DeviceName, ScriptName | project TimeGenerated, FileTimeGenerated, DeviceName, AccountName, ScriptName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, FileOriginUrl | order by TimeGenerated desc | where isnotempty(ScriptName) | take 50

// PowerShell + lsass memory dump investigation let indicators = dynamic(["lsass","lsass.exe","dump","procdump",".dmp","minidumpwritedump","comsvcs.dll","rundll32"]); let proc = DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where isnotempty(ProcessCommandLine) | where ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or ProcessCommandLine has_cs "powershell.exe" or ProcessCommandLine has_cs "pwsh.exe" | where ( ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "lsass.exe" or ProcessCommandLine has_cs "dump" or ProcessCommandLine has_cs "procdump" or ProcessCommandLine has_cs ".dmp" or ProcessCommandLine has_cs "MiniDumpWriteDump" or ProcessCommandLine has_cs "comsvcs.dll" or ProcessCommandLine has_cs "rundll32" ) | extend Cmd = ProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = ProcessId, User = AccountName | extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd) | extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd) | extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd) | extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, "")) | project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator; let dev = DeviceEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) | where isnotempty(InitiatingProcessCommandLine) | where ActionType has_cs "ProcessCreated" or ActionType has_cs "Create" or ActionType has_cs "Process" | where InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell.exe" or InitiatingProcessCommandLine has_cs "pwsh.exe" | where ( InitiatingProcessCommandLine has_cs "lsass" or InitiatingProcessCommandLine has_cs "lsass.exe" or InitiatingProcessCommandLine has_cs "dump" or InitiatingProcessCommandLine has_cs "procdump" or InitiatingProcessCommandLine has_cs ".dmp" or InitiatingProcessCommandLine has_cs "MiniDumpWriteDump" or InitiatingProcessCommandLine has_cs "comsvcs.dll" or InitiatingProcessCommandLine has_cs "rundll32" ) | extend Cmd = InitiatingProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = InitiatingProcessId, User = InitiatingProcessAccountName | extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd) | extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd) | extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd) | extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, "")) | project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator; proc | union dev | summarize FirstSeen=min(Time), LastSeen=max(Time), Count=count(), SampleCmd=any(Cmd), SamplePotentialIndicator=any(PotentialIndicator) by Device, User, PID, ScriptName, EXEInvoked, DmpFile | where Count > 0 | order by LastSeen desc | top 100 by LastSeen | project Device, User, PID, ScriptName, EXEInvoked, DmpFile, SamplePotentialIndicator, FirstSeen, LastSeen, Count

DeviceProcessEvents | where (InitiatingProcessFileName =~ 'powershell.exe' or FileName =~ 'powershell.exe') | where (ProcessCommandLine contains 'lsass' or InitiatingProcessCommandLine contains 'lsass') | project ScriptFileName = extract('([^ \"]*\\.ps1)', 1, ProcessCommandLine), ProcessFileName = FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain, DeviceName, DeviceId, Timestamp | order by Timestamp desc

DeviceProcessEvents | where (FileName == "powershell.exe" or InitiatingProcessFileName == "powershell.exe") and (ProcessCommandLine has "lsass" or InitiatingProcessCommandLine has "lsass") | extend InvokedScript = extract(@"([^\s]+\.ps1)",1,ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, InvokedScript, ProcessCommandLine, InitiatingProcessCommandLine

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "lsass" | extend ScriptFile = extract(@"(\S+\.ps1)", 1, ProcessCommandLine) | where isnotempty(ScriptFile) | project TimeGenerated, DeviceName, AccountName, ScriptFile, ProcessCommandLine | distinct ScriptFile

let ps_hosts = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let dump_keywords = dynamic(["lsass","minidump","comsvcs.dll","procdump","out-minidump"]); DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ (ps_hosts) | where ProcessCommandLine has_any (dump_keywords) | extend ScriptFile = extract(@'\S+\.ps1', 0, ProcessCommandLine) | where isnotempty(ScriptFile) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ScriptFile | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices = make_set(DeviceName, 50) by ScriptFile | order by FirstSeen asc