Potential Persistence Via LSA Extensions

Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via LSA Extensions
 2id: 41f6531d-af6e-4c6e-918f-b946f2b85a36
 3status: test
 4description: |
 5    Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
 6    The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.    
 7references:
 8    - https://persistence-info.github.io/Data/lsaaextension.html
 9    - https://twitter.com/0gtweet/status/1476286368385019906
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/07/21
12modified: 2023/08/17
13tags:
14    - attack.persistence
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

Related rules

to-top