DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Sigma rule (View on GitHub)
1title: DLL Load via LSASS
2id: b3503044-60ce-4bf4-bbcb-e3db98788823
3status: test
4description: Detects a method to load DLL via LSASS process using an undocumented Registry key
5references:
6 - https://blog.xpnsec.com/exploring-mimikatz-part-1/
7 - https://twitter.com/SBousseaden/status/1183745981189427200
8author: Florian Roth (Nextron Systems)
9date: 2019-10-16
10modified: 2022-04-21
11tags:
12 - attack.privilege-escalation
13 - attack.execution
14 - attack.persistence
15 - attack.t1547.008
16logsource:
17 category: registry_event
18 product: windows
19detection:
20 selection:
21 TargetObject|contains:
22 - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
23 - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
24 filter_domain_controller:
25 Image: 'C:\Windows\system32\lsass.exe'
26 Details:
27 - '%%systemroot%%\system32\ntdsa.dll'
28 - '%%systemroot%%\system32\lsadb.dll'
29 condition: selection and not 1 of filter_*
30falsepositives:
31 - Unknown
32level: high
References
-
We’ve packed it, we’ve wrapped it, we’ve injected it and powershell’d it, and now we've settled on feeding it a memory dump, and still Mimikatz remains the tool of choice when extracting credentials from lsass on Windows systems. Of course this is due to the fact that with each new security control introduced by Microsoft, GentilKiwi always has a trick or two up his sleeve. If you have ever looked at the effort that goes into Mimikatz, this is no easy task, with
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- ChromeLoader Malware Execution
- Cisco Modify Configuration