Unauthorized creation or modification of DLLs loaded by LSASS, abnormal registry values under LSA extensions, and anomalous DLL load activity into the lsass.exe process context—correlated during boot or logon events.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | WinEventLog:Security | EventCode=3033 |
| Driver Load (DC0079) | WinEventLog:System | EventCode=6 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| TimeWindow | Correlate DLL file creation/modification with LSASS execution within a configurable timeframe (e.g., 5 min) |
| ImagePathPattern | Tune based on known legitimate LSASS plugin DLL paths |
| SignatureValidation | Flag unsigned DLLs loaded into lsass.exe or those signed by unexpected publishers |
| RegistryKeyScope | Scope to specific registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages |
| FileHashAllowList | Exclude known-good LSASS plugin DLLs based on cryptographic hash |