Detects modification of LSASS and authentication DLLs, suspicious registry changes to password filter packages, and abnormal process access to lsass.exe. Correlates registry modifications, DLL loads, and process handle access events.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| MonitoredRegistryKeys | Specific LSASS and password filter registry paths monitored for modification. |
| TimeWindow | Correlation window between registry change, DLL load, and lsass.exe access. |
Detects modification of PAM configuration files, unauthorized new PAM modules, and suspicious process execution accessing PAM-related binaries. Correlates file modification events in /etc/pam.d/ with process execution of unauthorized binaries.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open, write |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| WatchedPaths | Critical PAM directories and configuration files monitored for modification. |
Detects unauthorized additions or changes to /Library/Security/SecurityAgentPlugins and suspicious process activity attempting to hook authentication APIs. Correlates file modifications with abnormal plugin loads in authentication flows.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | SecurityAgentPlugins modification |
| Process Access (DC0035) | macos:osquery | process_open |
| Field | Description |
|---|---|
| PluginPaths | List of approved authentication plugin directories to baseline. |
Detects suspicious configuration changes in IdP authentication flows such as enabling reversible password encryption, MFA bypass, or policy weakening. Correlates policy modification events with unusual administrative activity.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | azure:policy | UpdatePolicy |
| User Account Modification (DC0010) | m365:unified | Set-ADUser OR Set-ADAccountControl |
| Field | Description |
|---|---|
| PolicyBaseline | Expected authentication-related policy configurations to compare against. |
Detects unauthorized changes to IAM authentication configurations such as disabling MFA, creating backdoor access keys, or altering trust policies. Correlates identity policy updates with unusual login behavior.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | AWS:CloudTrail | UpdateLoginProfile |
| Cloud Service Modification (DC0069) | AWS:CloudTrail | UpdateAccountPasswordPolicy |
| Field | Description |
|---|---|
| ApprovedAccounts | Baseline list of service accounts expected to modify IAM authentication policies. |