Lsass dump using Magnet
Introduction
This technique involves extracting the contents of the LSASS (Local Security Authority Subsystem Service) process from memory using a forensic memory acquisition tool, Magnet RAM Capture, to later analyze it offline.
KQL
let suspiciousProc = DeviceProcessEvents
| where ProcessCommandLine has_all ("/accepteula", "/silent", "/go")
| project ProcessCreationTime=Timestamp, DeviceId, DeviceName, SuspectExe=FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessId, ProcessId;
let rawFiles = DeviceFileEvents
| where FileName endswith ".raw"
| where ActionType == "FileCreated"
| project FileCreationTime=Timestamp, DeviceId, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessId;
suspiciousProc
| join kind=inner (rawFiles) on DeviceId
| where FileCreationTime between (ProcessCreationTime .. ProcessCreationTime + 30m)
| project FileCreationTime, ProcessCreationTime, DeviceName, SuspectExe, FileName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName
| order by FileCreationTime desc