DLL Load via LSASS

 1title: DLL Load via LSASS
 2id: b3503044-60ce-4bf4-bbcb-e3db98788823
 3status: test
 4description: Detects a method to load DLL via LSASS process using an undocumented Registry key
 5references:
 6    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
 7    - https://twitter.com/SBousseaden/status/1183745981189427200
 8author: Florian Roth (Nextron Systems)
 9date: 2019-10-16
10modified: 2022-04-21
11tags:
12    - attack.execution
13    - attack.persistence
14    - attack.t1547.008
15logsource:
16    category: registry_event
17    product: windows
18detection:
19    selection:
20        TargetObject|contains:
21            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
22            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
23    filter_domain_controller:
24        Image: 'C:\Windows\system32\lsass.exe'
25        Details:
26            - '%%systemroot%%\system32\ntdsa.dll'
27            - '%%systemroot%%\system32\lsadb.dll'
28    condition: selection and not 1 of filter_*
29falsepositives:
30    - Unknown
31level: high

References

• Exploring Mimikatz - Part 1 - WDigest

  

  We’ve packed it, we’ve wrapped it, we’ve injected it and powershell’d it, and now we've settled on feeding it a memory dump, and still Mimikatz remains the tool of choice when extracting credentials from lsass on Windows systems. Of course this is due to the fact that with each new security control introduced by Microsoft, GentilKiwi always has a trick or two up his sleeve. If you have ever looked at the effort that goes into Mimikatz, this is no easy task, with

  
  Read More

• x.com

  
  Read More

Related rules

• AWS IAM S3Browser LoginProfile Creation
• AWS IAM S3Browser Templated S3 Bucket Policy Creation
• AWS IAM S3Browser User or AccessKey Creation
• Azure Kubernetes CronJob
• CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry