An adversary may be using a loader or incomplete LSA Password Filter technique to exfiltrate credentials or establish persistence within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or lateral movement attempts that may not be detected by traditional monitoring methods.
YARA Rule
rule Trojan_Win32_PlaLsaLog
{
meta:
author = "Microsoft"
description = "Loader / possible incomplete LSA Password Filter"
original_sample_sha1 = "fa087986697e4117c394c9a58cb9f316b2d9f7d8"
unpacked_sample_sha1 = "29cb81dbe491143b2f8b67beaeae6557d8944ab4"
activity_group = "Platinum"
version = "1.0"
last_modified = "2016-04-12"
strings:
$str1 = {8A 1C 01 32 DA 88 1C 01 8B 74 24 0C 41 3B CE 7C EF 5B 5F C6 04 01 00 5E 81 C4 04 01 00 00 C3}
$str2 = "PasswordChangeNotify"
condition:
$str1 and $str2
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell’s Get-LSAPassword tool to audit local security policy passwords.
Filter/Exclusion: Check for the presence of Get-LSAPassword in the command line or use a filter for processes initiated by the admin account with known audit tools.
Scenario: A scheduled task runs a script that temporarily accesses the LSA password cache for credential dumping during a security assessment.
Filter/Exclusion: Exclude processes associated with scheduled tasks that have a known security assessment or penetration testing context.
Scenario: A Windows Update or Group Policy update triggers a background process that interacts with the LSA password filter.
Filter/Exclusion: Exclude processes related to svchost.exe or wuauserv.exe during known update windows or policy refresh events.
Scenario: A third-party security tool like Mimikatz is used for legitimate forensic analysis or incident response.
Filter/Exclusion: Exclude processes initiated by known incident response tools or those running under a dedicated IR account with whitelisted tools.
Scenario: A domain controller is performing a Kerberos ticket renewal or password synchronization task, which may temporarily interact with the LSA password filter.
Filter/Exclusion: Exclude processes running on domain controllers or with the krbtgt account, or filter by specific domain controller-related services like kdc or lsass.exe on DCs.