DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Sigma rule (View on GitHub)
1title: DLL Load via LSASS
2id: b3503044-60ce-4bf4-bbcb-e3db98788823
3status: test
4description: Detects a method to load DLL via LSASS process using an undocumented Registry key
5references:
6 - https://blog.xpnsec.com/exploring-mimikatz-part-1/
7 - https://twitter.com/SBousseaden/status/1183745981189427200
8author: Florian Roth (Nextron Systems)
9date: 2019/10/16
10modified: 2022/04/21
11tags:
12 - attack.execution
13 - attack.persistence
14 - attack.t1547.008
15logsource:
16 category: registry_event
17 product: windows
18detection:
19 selection:
20 TargetObject|contains:
21 - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
22 - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
23 filter_domain_controller:
24 Image: 'C:\Windows\system32\lsass.exe'
25 Details:
26 - '%%systemroot%%\system32\ntdsa.dll'
27 - '%%systemroot%%\system32\lsadb.dll'
28 condition: selection and not 1 of filter_*
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- Suspicious Encoded Scripts in a WMI Consumer
- Suspicious Scheduled Task Write to System32 Tasks
- Scheduled task executing powershell encoded payload from registry
- PowerShell Create Local User
- Scheduled Cron Task/Job - Linux