Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages or ...\OSConfig\Security Packages, especially insertions of new DLL entries. Correlate this with subsequent DLL module loads into lsass.exe. Track unsigned or anomalous DLLs loading into LSASS using image load auditing. LSASS loads unsigned DLL due to AuditLevel=8 registry configuration or System reboot followed by DLL load into lsass.exe
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Controls how long after registry modification to expect a DLL load into LSASS (e.g., after reboot) |
| DLLSignatureValidation | Use to detect unsigned DLLs or those not matching known trusted publisher certificates |
| CustomSSPNameList | Define allowed SSP values for your org to reduce false positives |
| BootContextCorrelation | Whether detection should correlate boot-time registry and process events |