← Back to Explore
sigmahighHunting
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Detection Query
selection:
TargetObject|contains:
- \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt
- \CurrentControlSet\Services\NTDS\LsaDbExtPt
filter_domain_controller:
Image: C:\Windows\system32\lsass.exe
Details:
- "%%systemroot%%\\system32\\ntdsa.dll"
- "%%systemroot%%\\system32\\lsadb.dll"
condition: selection and not 1 of filter_*
Author
Florian Roth (Nextron Systems)
Created
2019-10-16
Data Sources
windowsRegistry Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1547.008
Raw Content
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1547.008
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
- '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
filter_domain_controller:
Image: 'C:\Windows\system32\lsass.exe'
Details:
- '%%systemroot%%\system32\ntdsa.dll'
- '%%systemroot%%\system32\lsadb.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high