← Library
sigmaDRL-1.1from SigmaHQ/sigma

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1547.008
Rule sourcerules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
    - https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.008
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
    filter_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        Details:
            - '%%systemroot%%\system32\ntdsa.dll'
            - '%%systemroot%%\system32\lsadb.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high