Detects anomalous process access to LSASS on domain controllers, suspicious module loads of authentication DLLs, and registry or file modifications indicative of Skeleton Key–style patching. Correlates LSASS access attempts with subsequent abnormal logon activity patterns.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| File Modification (DC0061) | WinEventLog:System | Unexpected modification to lsass.exe or cryptdll.dll |
| Field | Description |
|---|---|
| MonitoredDLLs | Specific authentication DLLs such as cryptdll.dll and samsrv.dll monitored for tampering. |
| TimeWindow | Correlation window between LSASS memory access, module load, and suspicious logons. |
| UserContext | Baseline expected accounts performing domain controller logon operations. |