LSASS Driver

let KnownLsaDlls = dynamic(["msv1_0.dll", "kerberos.dll", "wdigest.dll", "tspkg.dll", "schannel.dll", "pku2u.dll", "cloudAP.dll", "negoexts.dll", "msprivs.dll", "lsasrv.dll", "samsrv.dll", "ntdsai.dll"]);
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "lsass.exe"
| where not(FileName in~ (KnownLsaDlls))
| where not(FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| sort by Timestamp desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
  Image="*\\lsass.exe"
  NOT (ImageLoaded="C:\\Windows\\System32\\*" OR ImageLoaded="C:\\Windows\\SysWOW64\\*" OR ImageLoaded="C:\\Windows\\WinSxS\\*")
| table _time, host, Image, ImageLoaded, Hashes, Signed, SignatureStatus
| sort - _time

library where process.name : "lsass.exe" and
not dll.path : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\WinSxS\\*") and
not dll.name : ("msv1_0.dll", "kerberos.dll", "wdigest.dll", "tspkg.dll", "schannel.dll", "pku2u.dll", "cloudAP.dll", "negoexts.dll", "msprivs.dll", "lsasrv.dll", "samsrv.dll", "ntdsai.dll")

SELECT DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip,
       "hostname",
       QIDNAME(qid) AS event_name,
       "filename" AS loaded_dll,
       "filepath" AS dll_path,
       "username"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND QIDNAME(qid) ILIKE '%image load%'
  AND "ParentImage" ILIKE '%\\lsass.exe'
  AND "ImageLoaded" NOT ILIKE 'C:\\Windows\\System32\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Windows\\SysWOW64\\%'
  AND "ImageLoaded" NOT ILIKE 'C:\\Windows\\WinSxS\\%'
  AND "filename" NOT ILIKE 'msv1_0.dll'
  AND "filename" NOT ILIKE 'kerberos.dll'
  AND "filename" NOT ILIKE 'wdigest.dll'
  AND "filename" NOT ILIKE 'tspkg.dll'
  AND "filename" NOT ILIKE 'schannel.dll'
  AND "filename" NOT ILIKE 'pku2u.dll'
  AND "filename" NOT ILIKE 'cloudAP.dll'
  AND "filename" NOT ILIKE 'negoexts.dll'
  AND "filename" NOT ILIKE 'msprivs.dll'
  AND "filename" NOT ILIKE 'lsasrv.dll'
  AND "filename" NOT ILIKE 'samsrv.dll'
  AND "filename" NOT ILIKE 'ntdsai.dll'
LAST 24 HOURS
ORDER BY deviceTime DESC

_sourceCategory=windows/sysmon
| where EventID = "7"
| where Image matches "*\\lsass.exe"
| where !(ImageLoaded matches "C:\\Windows\\System32\\*") and !(ImageLoaded matches "C:\\Windows\\SysWOW64\\*") and !(ImageLoaded matches "C:\\Windows\\WinSxS\\*")
| parse field=ImageLoaded "*\\*" as dll_path, dll_name
| where dll_name != "msv1_0.dll"
  and dll_name != "kerberos.dll"
  and dll_name != "wdigest.dll"
  and dll_name != "tspkg.dll"
  and dll_name != "schannel.dll"
  and dll_name != "pku2u.dll"
  and dll_name != "cloudAP.dll"
  and dll_name != "negoexts.dll"
  and dll_name != "msprivs.dll"
  and dll_name != "lsasrv.dll"
  and dll_name != "samsrv.dll"
  and dll_name != "ntdsai.dll"
| fields _messageTime, Computer, Image, ImageLoaded, dll_name, Hashes, Signed, SignatureStatus
| sort by _messageTime desc

rule lsass_driver_implant_t1547_008 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects non-standard DLL loads by lsass.exe from outside trusted Windows system directories, indicating a potential LSA driver implant for persistence (T1547.008)"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.008"
    severity = "CRITICAL"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "PROCESS_MODULE_LOAD"
    $e.principal.process.file.full_path = /(?i)\\lsass\.exe$/
    not $e.target.file.full_path = /(?i)^[Cc]:\\Windows\\System32\\/
    not $e.target.file.full_path = /(?i)^[Cc]:\\Windows\\SysWOW64\\/
    not $e.target.file.full_path = /(?i)^[Cc]:\\Windows\\WinSxS\\/
    not $e.target.file.full_path = /(?i)\\(msv1_0\.dll|kerberos\.dll|wdigest\.dll|tspkg\.dll|schannel\.dll|pku2u\.dll|cloudAP\.dll|negoexts\.dll|msprivs\.dll|lsasrv\.dll|samsrv\.dll|ntdsai\.dll)$/

  condition:
    $e
}

#event_simpleName=ClassifiedModuleLoad
| ImageFileName = /(?i)\\lsass\.exe$/
| ModuleFileName != /(?i)^\\Device\\HarddiskVolume\d+\\Windows\\System32\\/
| ModuleFileName != /(?i)^\\Device\\HarddiskVolume\d+\\Windows\\SysWOW64\\/
| ModuleFileName != /(?i)^\\Device\\HarddiskVolume\d+\\Windows\\WinSxS\\/
| ModuleFileName != /(?i)\\(msv1_0\.dll|kerberos\.dll|wdigest\.dll|tspkg\.dll|schannel\.dll|pku2u\.dll|cloudAP\.dll|negoexts\.dll|msprivs\.dll|lsasrv\.dll|samsrv\.dll|ntdsai\.dll)$/
| table([_time, ComputerName, ImageFileName, ModuleFileName, SHA256HashData, ImageSubsystem])
| sort(field=_time, order=desc)