DET0542 Registry and LSASS Monitoring for Security Support Provider Abuse

Item	Value
ID	DET0542
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1547.005 (Security Support Provider)

Analytics

Windows

AN1495

Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages or ...\OSConfig\Security Packages, especially insertions of new DLL entries. Correlate this with subsequent DLL module loads into lsass.exe. Track unsigned or anomalous DLLs loading into LSASS using image load auditing. LSASS loads unsigned DLL due to AuditLevel=8 registry configuration or System reboot followed by DLL load into lsass.exe

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
TimeWindow	Controls how long after registry modification to expect a DLL load into LSASS (e.g., after reboot)
DLLSignatureValidation	Use to detect unsigned DLLs or those not matching known trusted publisher certificates
CustomSSPNameList	Define allowed SSP values for your org to reduce false positives
BootContextCorrelation	Whether detection should correlate boot-time registry and process events