LSA PPL Protection Setting Modification via CommandLine
Detects modification of LSA PPL protection settings via CommandLine. It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
Sigma rule (View on GitHub)
1title: LSA PPL Protection Setting Modification via CommandLine
2id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
3status: test
4description: |
5 Detects modification of LSA PPL protection settings via CommandLine.
6 It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
7references:
8 - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
9 - https://github.com/shoober420/windows11-scripts/blob/38d83331738cd713ccb42f2c4557d17a27aefd98/Windows11Tweaks.bat#L1825
10author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2022-03-22
12modified: 2026-03-13
13tags:
14 - attack.defense-evasion
15 - attack.t1562.010
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\reg.exe'
23 - '\powershell.exe'
24 - '\pwsh.exe'
25 - OriginalFileName:
26 - 'reg.exe'
27 - 'powershell.exe'
28 - 'pwsh.dll'
29 selection_cli_action:
30 CommandLine|contains|all:
31 - 'ControlSet'
32 - '\Control\Lsa'
33 CommandLine|contains:
34 - 'Set-ItemProperty'
35 - 'New-ItemProperty'
36 - ' add '
37 selection_key:
38 CommandLine|contains:
39 - 'IsPplAutoEnabled'
40 - 'RunAsPPL'
41 - 'RunAsPPLBoot'
42 condition: all of selection_*
43falsepositives:
44 - Unlikely
45level: medium
References
Related rules
- Python One-Liners with Base64 Decoding
- Python One-Liners with Base64 Decoding - Linux
- Registry Tampering by Potentially Suspicious Processes
- Potential Defense Evasion Via Right-to-Left Override
- Potential File Extension Spoofing Using Right-to-Left Override