Investigating Credential Theft in Microsoft Defender XDR.
A process touched LSASS.
A browser credential store was accessed.
Minutes later, the same account signed in somewhere else.
Agent Foskett followed the credentials.
Lesson overview
Learn how defenders investigate credential theft by correlating suspicious processes, LSASS access, browser credential activity, identity logons and post-compromise movement in Microsoft Defender XDR.
Why credential theft matters
The credential theft investigation workflow
Step 1 — Find suspicious credential-related processes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("lsass", "sekurlsa", "mimikatz", "procdump", "comsvcs.dll", "MiniDump")
or FileName has_any ("procdump.exe", "rundll32.exe", "powershell.exe", "cmd.exe")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 2 — Investigate LSASS dumping behaviour
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "lsass"
| where ProcessCommandLine has_any ("dump", "MiniDump", "comsvcs", "procdump", ".dmp")
| project Timestamp,
DeviceName,
AccountUpn,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp desc
Step 3 — Look for browser credential access
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 11
- 12
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\Chrome\User Data", "\Edge\User Data", "\Firefox\Profiles")
| where FileName has_any ("Login Data", "Cookies", "key4.db", "logins.json")
| project Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp desc
Step 4 — Review suspicious PowerShell credential activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("credential", "password", "Invoke-Mimikatz", "sekurlsa", "Get-Credential", "DownloadString", "-EncodedCommand", "-enc")
| project Timestamp,
DeviceName,
AccountUpn,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp desc
Step 5 — Find successful logons after suspicious activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
let SuspiciousCredentialActivity =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("lsass", "mimikatz", "sekurlsa", "procdump", "MiniDump")
| project CredentialTime = Timestamp, AccountUpn, DeviceName;
SuspiciousCredentialActivity
| join kind=inner (
DeviceLogonEvents
| where Timestamp > ago(24h)
| where ActionType == "LogonSuccess"
) on AccountUpn
| where Timestamp between (CredentialTime .. CredentialTime + 2h)
| project CredentialTime,
LogonTime = Timestamp,
AccountUpn,
SourceDevice = DeviceName,
TargetDevice = DeviceName1,
LogonType,
RemoteDeviceName,
RemoteIP
| order by LogonTime asc
Step 6 — Build the credential theft timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let Device = "WORKSTATION-14"; let StartTime = ago(24h); union (DeviceProcessEvents | where Timestamp > StartTime and DeviceName == Device | project Timestamp, EventType="Process", DeviceName, Account=AccountUpn, Detail=strcat(FileName, " | ", ProcessCommandLine)), (DeviceFileEvents | where Timestamp > StartTime and DeviceName == Device | project Timestamp, EventType="File", DeviceName, Account=InitiatingProcessAccountUpn, Detail=strcat(FileName, " | ", FolderPath)), (DeviceLogonEvents | where Timestamp > StartTime and DeviceName == Device | project Timestamp, EventType="Logon", DeviceName, Account=AccountUpn, Detail=strcat(ActionType, " | ", LogonType)) | order by Timestamp asc
How to read the evidence
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating Credential Theft in Microsoft Defender XDR
Agent Foskett Academy Lesson 86 teaches defenders how to investigate credential theft in Microsoft Defender XDR.
Credential theft investigation workflow
This lesson explains how DeviceProcessEvents, DeviceFileEvents, DeviceLogonEvents, IdentityLogonEvents, LSASS access, browser credential files, PowerShell command lines and account logon evidence help defenders investigate credential theft and post-compromise account use.
