Technique on mitre.org

T1547.008: LSASS Driver

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.

Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_cred_access: PT-CR-770: Lsass_DLL_Injection: A library was injected into the Local Security Authority Subsystem Service (LSASS) process. After a user logs in, the system creates various credentials and stores them in the LSASS process memory.

Detection

ID	DS0011	Data source and component	Module: Module Load	Description	Also monitor DLL load operations in lsass.exe.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files that may modify or add LSASS drivers to obtain persistence on compromised systems.

ID	DS0027	Data source and component	Driver: Driver Load	Description	With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. Utilize the Sysinternals Autoruns/Autorunsc utility to examine loaded drivers associated with the LSA.

ID	Data source and component	Description
DS0011	Module: Module Load	Also monitor DLL load operations in lsass.exe.
DS0022	File: File Creation	Monitor newly constructed files that may modify or add LSASS drivers to obtain persistence on compromised systems.
DS0022	File: File Modification	Monitor for changes made to files that may modify or add LSASS drivers to obtain persistence on compromised systems.
DS0027	Driver: Driver Load	With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. Utilize the Sysinternals Autoruns/Autorunsc utility to examine loaded drivers associated with the LSA.

Mitigation

ID	M1025	Name	Privileged Process Integrity	Description	On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL` to `dword:00000001`. LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.

ID	M1043	Name	Credential Access Protection	Description	On Windows 10 and Server 2016, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtualized environment without any device drivers.

ID	M1044	Name	Restrict Library Loading	Description	Ensure safe DLL search mode is enabled `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode` to mitigate risk that lsass.exe loads a malicious code library.

ID	Name	Description
M1025	Privileged Process Integrity	On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL` to `dword:00000001`. LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.
M1043	Credential Access Protection	On Windows 10 and Server 2016, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtualized environment without any device drivers.
M1044	Restrict Library Loading	Ensure safe DLL search mode is enabled `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode` to mitigate risk that lsass.exe loads a malicious code library.