Show in Graph
Common Information
Type Value
Value 
LSASS Driver - T1177
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem) Adversaries may target lsass.exe drivers to obtain execution and/or persistence. By either replacing or adding illegitimate drivers (e.g., DLL Side-Loading or DLL Search Order Hijacking), an adversary can achieve arbitrary code execution triggered by continuous LSA operations. Detection: With LSA Protection enabled, monitor the event logs (Events 3033 and 3063) for failed attempts to load LSA plug-ins and drivers. (Citation: Microsoft LSA Protection Mar 2014) Utilize the Sysinternals Autoruns/Autorunsc utility (Citation: TechNet Autoruns) to examine loaded drivers associated with the LSA. Utilize the Sysinternals Process Monitor utility to monitor DLL load operations in lsass.exe. (Citation: Microsoft DLL Security) Platforms: Windows Data Sources: API monitoring, DLL monitoring, File monitoring, Kernel drivers, Loaded DLLs, Process Monitoring Permissions Required: Administrator, SYSTEM Remote Support: No Contributors: Vincent Le Toux
Details Published Attributes CTI Title
Details Website 2023-03-07 1 Persistent Threats: Abusing BITS Jobs and Modifying LSASS Drivers
Details Website 2022-12-27 130 BlueNoroff introduces new methods bypassing MoTW
Details Website 2021-11-16 70 Return of Emotet malware | Zscaler
Details Website 2016-01-13 1 下一代防火墙的几个思考 – 绿盟科技技术博客