SigmaHQ/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml

title: DLL Load via LSASS
status: experimental
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
author: Florian Roth
date: 2019/10/16
references:
    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
    - https://twitter.com/SBousseaden/status/1183745981189427200
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID:
            - 12 
            - 13
        TargetObject: 
            - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
            - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
    condition: selection
tags:
    - attack.execution
    - attack.t1177
falsepositives:
    - Unknown
level: high
rule: LSASS DLL load via undocumented Registry key https://twitter.com/SBousseaden/status/1183745981189427200 2019-10-16 11:18:31 +00:00			`title: DLL Load via LSASS`
			`status: experimental`
			`description: Detects a method to load DLL via LSASS process using an undocumented Registry key`
			`author: Florian Roth`
			`date: 2019/10/16`
			`references:`
			`- https://blog.xpnsec.com/exploring-mimikatz-part-1/`
			`- https://twitter.com/SBousseaden/status/1183745981189427200`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID:`
			`- 12`
			`- 13`
			`TargetObject:`
			`- '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'`
			`- '\CurrentControlSet\Services\NTDS\LsaDbExtPt'`
			`condition: selection`
			`tags:`
			`- attack.execution`
			`- attack.t1177`
			`falsepositives:`
			`- Unknown`
			`level: high`