Potential Persistence Via LSA Extensions
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
Sigma rule (View on GitHub)
1title: Potential Persistence Via LSA Extensions
2id: 41f6531d-af6e-4c6e-918f-b946f2b85a36
3status: experimental
4description: |
5 Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
6 The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
7references:
8 - https://persistence-info.github.io/Data/lsaaextension.html
9 - https://twitter.com/0gtweet/status/1476286368385019906
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/07/21
12modified: 2023/08/17
13tags:
14 - attack.persistence
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: high
References
-
LSA Extension Location: HKLM\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv Classification: Criteria Value Permissions Admin Security context System Persistence type Registry Code type ...
Read More -
Related rules
- Add Debugger Entry To AeDebug For Persistence
- Add Debugger Entry To Hangs Key For Persistence
- Bypass UAC Using Event Viewer
- COM Hijacking via TreatAs
- Classes Autorun Keys Modification