Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Wed Oct 16Updated Thu Apr 21b3503044-60ce-4bf4-bbcb-e3db98788823windows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetObject|contains:
            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
    filter_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        Details:
            - '%%systemroot%%\system32\ntdsa.dll'
            - '%%systemroot%%\system32\lsadb.dll'
    condition: selection and not 1 of filter_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
blog.xpnsec.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
b3503044-60ce-4bf4-bbcb-e3db98788823
Status
test
Level
high
Type
Detection
Created
Wed Oct 16
Modified
Thu Apr 21
Author
Florian Roth (Nextron Systems)
Path
rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1547.008
View on GitHub