DLL Load via LSASS

Hunt Hypothesis

Detects a method to load DLL via LSASS process using an undocumented Registry key

Detection Rule

Sigma (Original)

title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
    - https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.008
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
    filter_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        Details:
            - '%%systemroot%%\system32\ntdsa.dll'
            - '%%systemroot%%\system32\lsadb.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not((ActingProcessName =~ "C:\\Windows\\system32\\lsass.exe" and (RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")))))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Privilege Escalation
• Tactic: Execution
• Tactic: Persistence
• Technique: T1547.008 — T1547.008

References

• https://blog.xpnsec.com/exploring-mimikatz-part-1/
• https://twitter.com/SBousseaden/status/1183745981189427200
• SigmaHQ Rule