Boot or Logon Autostart Execution: LSASS Driver

Other sub-techniques of Boot or Logon Autostart Execution (14)

ID	Name
T1547.001	Registry Run Keys / Startup Folder
T1547.002	Authentication Package
T1547.003	Time Providers
T1547.004	Winlogon Helper DLL
T1547.005	Security Support Provider
T1547.006	Kernel Modules and Extensions
T1547.007	Re-opened Applications
T1547.008	LSASS Driver
T1547.009	Shortcut Modification
T1547.010	Port Monitors
T1547.012	Print Processors
T1547.013	XDG Autostart Entries
T1547.014	Active Setup
T1547.015	Login Items

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.^[1]

Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.

ID: T1547.008

Sub-technique of: T1547

ⓘ

Tactics: Persistence, Privilege Escalation

ⓘ

Platforms: Windows

ⓘ

Permissions Required: Administrator, SYSTEM

Contributors: Vincent Le Toux

Version: 1.0

Created: 24 January 2020

Last Modified: 20 April 2022

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S0208	Pasam	Pasam establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk.^[2]
S0176	Wingbird	Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.^[3]^[4]

Mitigations

ID	Mitigation	Description
M1043	Credential Access Protection	On Windows 10 and Server 2016, enable Windows Defender Credential Guard ^[5] to run lsass.exe in an isolated virtualized environment without any device drivers. ^[6]
M1025	Privileged Process Integrity	On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL` to `dword:00000001`. ^[7] LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.
M1044	Restrict Library Loading	Ensure safe DLL search mode is enabled `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode` to mitigate risk that lsass.exe loads a malicious code library. ^[8]

Detection

ID	Data Source	Data Component	Detects
DS0027	Driver	Driver Load	With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. ^[7] Utilize the Sysinternals Autoruns/Autorunsc utility ^[9] to examine loaded drivers associated with the LSA.
DS0022	File	File Creation	Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems.
		File Modification	Monitor for changes made to files that may modify or add LSASS drivers to obtain persistence on compromised systems.
DS0011	Module	Module Load	Also monitor DLL load operations in lsass.exe. ^[8]

Boot or Logon Autostart Execution: LSASS Driver

Other sub-techniques of Boot or Logon Autostart Execution (14)

Procedure Examples

Mitigations

Detection

References