Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Unsigned Image Loaded Into LSASS Process

Loading unsigned image (DLL, EXE) into LSASS process

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Teymur Kheirkhabarov, oscd.communityCreated Tue Oct 22Updated Sat Nov 27857c8db3-c89b-42fb-882b-f681c7cf4da2windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\lsass.exe'
        Signed: 'false'
    condition: selection
False Positives

Valid user connecting using RDP

References
1
Resolving title…
slideshare.net
MITRE ATT&CK
Rule Metadata
Rule ID
857c8db3-c89b-42fb-882b-f681c7cf4da2
Status
test
Level
medium
Type
Detection
Created
Tue Oct 22
Modified
Sat Nov 27
Author
Teymur Kheirkhabarov, oscd.community
Path
rules/windows/image_load/image_load_lsass_unsigned_image_load.yml
Raw Tags
attack.credential-accessattack.t1003.001
View on GitHub