Potential Persistence Via LSA Extensions
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
Sigma rule (View on GitHub)
1title: Potential Persistence Via LSA Extensions
2id: 41f6531d-af6e-4c6e-918f-b946f2b85a36
3status: test
4description: |
5 Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
6 The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
7references:
8 - https://persistence-info.github.io/Data/lsaaextension.html
9 - https://twitter.com/0gtweet/status/1476286368385019906
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-07-21
12modified: 2023-08-17
13tags:
14 - attack.persistence
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
LSA Extension Location: HKLM\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv Classification: Criteria Value Permissions Admin Security context System Persistence type Registry Code type ...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint