Skip to content

DET0225 Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)

Item Value
ID DET0225
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1547.008 (LSASS Driver)

Analytics

Windows

AN0629

Unauthorized creation or modification of DLLs loaded by LSASS, abnormal registry values under LSA extensions, and anomalous DLL load activity into the lsass.exe process context—correlated during boot or logon events.

Log Sources
Data Component Name Channel
Module Load (DC0016) WinEventLog:Security EventCode=3033
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Modification (DC0061) WinEventLog:Sysmon EventCode=2
Windows Registry Key Creation (DC0056) WinEventLog:Sysmon EventCode=12
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Mutable Elements
Field Description
TimeWindow Correlate DLL file creation/modification with LSASS execution within a configurable timeframe (e.g., 5 min)
ImagePathPattern Tune based on known legitimate LSASS plugin DLL paths
SignatureValidation Flag unsigned DLLs loaded into lsass.exe or those signed by unexpected publishers
RegistryKeyScope Scope to specific registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
FileHashAllowList Exclude known-good LSASS plugin DLLs based on cryptographic hash