Potential Persistence Via LSA Extensions

Hunt Hypothesis

Detects when an attacker modifies the “REG_MULTI_SZ” value named “Extensions” to include a custom DLL to achieve persistence via lsass. The “Extensions” list contains filenames of DLLs being automatic

Detection Rule

Sigma (Original)

title: Potential Persistence Via LSA Extensions
id: 41f6531d-af6e-4c6e-918f-b946f2b85a36
status: test
description: |
    Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
    The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
references:
    - https://persistence-info.github.io/Data/lsaaextension.html
    - https://twitter.com/0gtweet/status/1476286368385019906
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions'
    condition: selection
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions"

Required Data Sources

False Positive Guidance

• Unlikely

MITRE ATT&CK Context

• Tactic: Persistence

References

• https://persistence-info.github.io/Data/lsaaextension.html
• https://twitter.com/0gtweet/status/1476286368385019906
• SigmaHQ Rule