DET0207 Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load

Item	Value
ID	DET0207
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1547.002 (Authentication Package)

Analytics

Windows

AN0583

Registry modification of the LSA Authentication Packages key followed by LSASS loading a non-standard or unsigned DLL. This includes unusual write access to HKLM\SYSTEM\CurrentControlSet\Control\Lsa, especially during non-installation timeframes. Correlated with lsass.exe loading DLLs not present in baseline or lacking valid signatures.

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TimeWindow	Time between registry write and DLL load; tune based on reboot cycles or scheduled maintenance
ImageSignatureStatus	Allow listing of known signed LSASS-authenticated DLLs versus unknown/untrusted ones
RegistryPathScope	Allow tuning for subkeys beyond just `Authentication Packages` (e.g., `Security Packages`, `Notification Packages`)
UserContext	Correlate user responsible for registry edit; tune for expected administrative/service accounts
ParentProcess	Validate process lineage for registry modification; expected tools like `reg.exe` or `powershell.exe`