DLL Load via LSASS

 1title: DLL Load via LSASS
 2id: b3503044-60ce-4bf4-bbcb-e3db98788823
 3status: test
 4description: Detects a method to load DLL via LSASS process using an undocumented Registry key
 5references:
 6    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
 7    - https://twitter.com/SBousseaden/status/1183745981189427200
 8author: Florian Roth (Nextron Systems)
 9date: 2019/10/16
10modified: 2022/04/21
11tags:
12    - attack.execution
13    - attack.persistence
14    - attack.t1547.008
15logsource:
16    category: registry_event
17    product: windows
18detection:
19    selection:
20        TargetObject|contains:
21            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
22            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
23    filter_domain_controller:
24        Image: 'C:\Windows\system32\lsass.exe'
25        Details:
26            - '%%systemroot%%\system32\ntdsa.dll'
27            - '%%systemroot%%\system32\lsadb.dll'
28    condition: selection and not 1 of filter_*
29falsepositives:
30    - Unknown
31level: high

References

• Exploring Mimikatz - Part 1 - WDigest

  

  We’ve packed it, we’ve wrapped it, we’ve injected it and powershell’d it, and now we've settled on feeding it a memory dump, and still Mimikatz remains the tool of choice when extracting credentials from lsass on Windows systems. Of course this is due to the fact that with each new security control introduced by Microsoft, GentilKiwi always has a trick or two up his sleeve. If you have ever looked at the effort that goes into Mimikatz, this is no easy task, with

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Suspicious Encoded Scripts in a WMI Consumer
• Suspicious Scheduled Task Write to System32 Tasks
• Scheduled task executing powershell encoded payload from registry
• PowerShell Create Local User
• Scheduled Cron Task/Job - Linux