Agent Foskett Academy • Lesson 86 • Advanced Defender XDR Investigation

Investigating Credential Theft in Microsoft Defender XDR.

A process touched LSASS.

A browser credential store was accessed.

Minutes later, the same account signed in somewhere else.

Agent Foskett followed the credentials.

Agent Foskett Academy lesson investigating credential theft in Microsoft Defender XDR
Lesson overview

Learn how defenders investigate credential theft by correlating suspicious processes, LSASS access, browser credential activity, identity logons and post-compromise movement in Microsoft Defender XDR.

Review suspicious credential access
Look for LSASS and browser credential activity
Correlate identity and endpoint evidence
Build the credential theft timeline

Why credential theft matters

Credential theft changes an incident. Once an attacker has valid credentials, the investigation must follow both endpoint activity and identity activity.
Valid accounts hide attacker behaviourCredential theft allows an attacker to sign in using real usernames, making malicious activity look like normal authentication until the pattern is reviewed.
Endpoint evidence shows how credentials were targetedDeviceProcessEvents and DeviceFileEvents can reveal tools, scripts and access attempts aimed at LSASS, browser data or credential stores.
Identity evidence shows where credentials were usedIdentityLogonEvents and related sign-in telemetry help identify where stolen credentials were used after the initial compromise.

The credential theft investigation workflow

Agent Foskett follows the evidence from suspicious endpoint behaviour through to account use across the environment.
1. Did a suspicious process run?Start with process evidence. Look for tools, command lines or parent processes associated with credential access.
2. Was LSASS targeted?Review processes and command lines that reference lsass.exe, memory dumping or credential extraction behaviour.
3. Were browser credentials touched?Look for access to browser profile paths, credential databases and unusual file reads or copies.
4. Was PowerShell involved?Search for encoded PowerShell, download cradles, credential-related modules and suspicious command-line activity.
5. Did new logons appear?Review successful logons after the suspicious process activity, especially on new devices or sensitive servers.
6. Did the account move laterally?Correlate device logons and network activity to determine whether credentials were used to reach other systems.
7. Was privilege involved?Check whether privileged accounts, admin servers, service accounts or high-value users were affected.
8. Can the timeline be proven?Place process, file, identity and logon events in chronological order to explain how credentials were targeted and used.

Step 1 — Find suspicious credential-related processes

Start by looking for common credential theft indicators in process names and command lines.
step-1-credential-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("lsass", "sekurlsa", "mimikatz", "procdump", "comsvcs.dll", "MiniDump")
   or FileName has_any ("procdump.exe", "rundll32.exe", "powershell.exe", "cmd.exe")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          InitiatingProcessFileName,
          ProcessCommandLine
| order by Timestamp desc

Step 2 — Investigate LSASS dumping behaviour

Attackers often target LSASS because it may contain credential material in memory.
step-2-lsass-dumping.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "lsass"
| where ProcessCommandLine has_any ("dump", "MiniDump", "comsvcs", "procdump", ".dmp")
| project Timestamp,
          DeviceName,
          AccountUpn,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

Step 3 — Look for browser credential access

Credential theft is not limited to LSASS. Browser profile data can also be targeted after compromise.
step-3-browser-credential-access.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 11
  14. 12
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\Chrome\User Data", "\Edge\User Data", "\Firefox\Profiles")
| where FileName has_any ("Login Data", "Cookies", "key4.db", "logins.json")
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountUpn,
          FileName,
          FolderPath,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

Step 4 — Review suspicious PowerShell credential activity

PowerShell can be used to download tooling, run credential collection scripts or execute commands in memory.
step-4-powershell-credential-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("credential", "password", "Invoke-Mimikatz", "sekurlsa", "Get-Credential", "DownloadString", "-EncodedCommand", "-enc")
| project Timestamp,
          DeviceName,
          AccountUpn,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Step 5 — Find successful logons after suspicious activity

After credential theft, the next question is whether the account was used somewhere else.
step-5-logons-after-credential-access.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
let SuspiciousCredentialActivity =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("lsass", "mimikatz", "sekurlsa", "procdump", "MiniDump")
| project CredentialTime = Timestamp, AccountUpn, DeviceName;
SuspiciousCredentialActivity
| join kind=inner (
    DeviceLogonEvents
    | where Timestamp > ago(24h)
    | where ActionType == "LogonSuccess"
) on AccountUpn
| where Timestamp between (CredentialTime .. CredentialTime + 2h)
| project CredentialTime,
          LogonTime = Timestamp,
          AccountUpn,
          SourceDevice = DeviceName,
          TargetDevice = DeviceName1,
          LogonType,
          RemoteDeviceName,
          RemoteIP
| order by LogonTime asc

Step 6 — Build the credential theft timeline

Combine process, file and logon evidence into one ordered view of what happened.
step-6-credential-theft-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let Device = "WORKSTATION-14";
let StartTime = ago(24h);
union
(DeviceProcessEvents
| where Timestamp > StartTime and DeviceName == Device
| project Timestamp, EventType="Process", DeviceName, Account=AccountUpn, Detail=strcat(FileName, " | ", ProcessCommandLine)),
(DeviceFileEvents
| where Timestamp > StartTime and DeviceName == Device
| project Timestamp, EventType="File", DeviceName, Account=InitiatingProcessAccountUpn, Detail=strcat(FileName, " | ", FolderPath)),
(DeviceLogonEvents
| where Timestamp > StartTime and DeviceName == Device
| project Timestamp, EventType="Logon", DeviceName, Account=AccountUpn, Detail=strcat(ActionType, " | ", LogonType))
| order by Timestamp asc

How to read the evidence

Credential theft investigations depend on sequence. The order of events is often more important than any single event.
Process before logonA suspicious credential access process followed by new logons can indicate stolen credentials were used after collection.
Browser access before cloud sign-inBrowser credential file access followed by unusual sign-ins may indicate session or password theft from the endpoint.
Privilege changes the riskIf a privileged account is involved, the investigation should quickly expand to administrative systems and sensitive workloads.
Timeline before conclusionDo not assume theft from one signal. Correlate process, file, identity and logon evidence before confirming impact.

Real-world investigation

The endpoint alertDefender records a suspicious process accessing LSASS on a workstation used by a finance employee.
The command lineDeviceProcessEvents shows rundll32.exe calling comsvcs.dll with a command line referencing lsass.exe and a dump file path.
The file evidenceDeviceFileEvents records a new .dmp file written to a temporary folder shortly after the process executed.
The identity evidenceWithin 20 minutes, the same user account logs on successfully to a server it has never accessed before.
The lateral movement clueDeviceLogonEvents shows additional successful logons from the same account across multiple devices.
The conclusionThe investigation confirms likely credential theft followed by account use across the environment, requiring containment and credential reset.

Investigation checklist

Suspicious process reviewedIdentify the process, parent process, account and full command line involved in credential access activity.
LSASS activity checkedLook for memory dumping, procdump, comsvcs.dll and commands referencing lsass.exe.
Browser data checkedReview access to browser credential databases, cookies and profile paths.
PowerShell reviewedSearch for encoded commands, credential modules, download strings and in-memory execution patterns.
Logons correlatedCheck where the account authenticated after the suspected credential theft event.
Privileged access assessedDetermine whether admin accounts, service accounts or sensitive systems were affected.
Timeline documentedWrite down the sequence from credential access to account use and containment actions.

Related Agent Foskett Academy lessons

Building a Device TimelineCorrelate process, file, network and logon activity into one investigation view.
Investigating Lateral MovementFollow attacker movement across devices using logon and endpoint evidence.
Investigating PowerShell AttacksAnalyse encoded commands, suspicious execution and PowerShell-based attacker behaviour.
Investigating Living Off The Land (LOLBins)Identify trusted Windows tools abused during post-compromise activity.
Investigating Ransomware BehaviourReview mass file changes, suspicious processes and endpoint impact.
Building a Complete Phishing InvestigationFollow an attack from email delivery through endpoint impact.

Coming next

Lesson 87 — Investigating Persistence TechniquesNext, Agent Foskett investigates how attackers maintain access using scheduled tasks, registry changes, services, startup folders and other persistence methods.
Why this mattersCredential theft often leads to persistence. After the attacker obtains access, defenders need to find how they planned to keep it.

Final thought

Credential theft is not just an endpoint event. It is the bridge between compromise and wider access.
Agent Foskett mindsetDo not stop when the suspicious process is found. Ask where the credentials were used next.
Follow the accountThe device shows how the credentials were targeted. The identity trail shows what the attacker did with them.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating Credential Theft in Microsoft Defender XDR

Agent Foskett Academy Lesson 86 teaches defenders how to investigate credential theft in Microsoft Defender XDR.

Credential theft investigation workflow

This lesson explains how DeviceProcessEvents, DeviceFileEvents, DeviceLogonEvents, IdentityLogonEvents, LSASS access, browser credential files, PowerShell command lines and account logon evidence help defenders investigate credential theft and post-compromise account use.