SigmaHQ/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml

32 lines
780 B
YAML

title: DLL Load via LSASS
status: experimental
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
author: Florian Roth
date: 2019/10/16
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
logsource:
product: windows
service: sysmon
detection:
selection:
EventID:
- 12
- 13
TargetObject:
- '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*'
- '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*'
condition: selection
tags:
- attack.execution
- attack.t1177
fields:
- Image
- ParentImage
- ParentCommandLine
falsepositives:
- Unknown
level: high