Elastic Security Detection Rules

Suspicious Module Loaded by LSASS

Last updated 19 days ago on 2026-05-06
Created 3 years ago on 2022-12-28

About

Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Credential AccessData Source: Elastic DefendLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

OS Credential Dumping (T1003)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

Boot or Logon Autostart Execution (T1547)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.library-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
library where host.os.type == "windows" and event.action == "load" and
  process.executable : "?:\\Windows\\System32\\lsass.exe" and
  not (
        dll.code_signature.subject_name : (
            "Algorithmic Research LTD.",
            "Amazon Web Services, Inc.",
            "Apple Inc.",
            "Audinate Pty Ltd",
            "AuriStor, Inc.",
            "Bit4id",
            "Carbon Black, Inc.",
            "Check Point Software Technologies Ltd.",
            "Citrix Systems, Inc.",
            "CyberArk Software Ltd.",
            "Dell Inc",
            "DigitalPersona, Inc.",
            "EasyAntiCheat Oy",
            "Entrust Corporation",
            "Entrust Datacard Corporation",
            "Entrust, Inc.",
            "F5 Networks Inc",
            "Fortinet, Inc.",
            "Fortinet Technologies (Canada) Inc.",
            "FrontRange Solutions Deutschland GmbH",
            "GEMALTO SA",
            "gemalto",
            "Hewlett-Packard Company",
            "HID Global",
            "HID Global Corporation",
            "HYPR Corp",
            "IDEMIA IDENTITY & SECURITY FRANCE SAS",
            "IDEMIA France SAS",
            "Intel(R) Software Development Products",
            "Istituto Poligrafico e Zecca dello Stato S.p.A.",
            "LogMeIn, Inc.",
            "McAfee, Inc.",
            "McAfeeSysPrep",
            "Micro Focus (US), Inc.",
            "Micro Focus International plc",
            "Microsoft Corporation",
            "Microsoft Windows",
            "Microsoft Windows Hardware Compatibility Publisher",
            "Microsoft Windows Publisher",
            "Microsoft Windows Software Compatibility Publisher",
            "Morphisec Information Security 2014 Ltd",
            "Musarubra US LLC",
            "National Instruments Corporation",
            "Novell, Inc.",
            "Nubeva Technologies Ltd",
            "NVIDIA Corporation PE Sign v2016",
            "Palo Alto Networks (Netherlands) B.V.",
            "Parallels International GmbH",
            "PGP Corporation",
            "QUEST SOFTWARE INC.",
            "SecMaker AB",
            "Secure Endpoints, Inc.",
            "SecureLink, Inc.",
            "SentinelOne Inc.",
            "SentryBay Limited",
            "Sophos Ltd",
            "Symantec Corporation",
            "Thales DIS CPL USA, Inc.",
            "Tidexa OU",
            "Trend Micro, Inc.",
            "VMware, Inc.",
            "Yubico AB"
        ) and
        dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")
  ) and

  not dll.hash.sha256 : (
          "811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
          "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
          "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
          "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
          "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
          "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
          "0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
          "4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
          "86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95",
          "4af1fee3369d9a993a84f54eafb72a661633c33e9e12fb3dd151a6a2cddbd404"
  ) and
  not dll.path : (
        "C:\\Windows\\System32\\CertPolEng.dll",
        "C:\\Windows\\System32\\FWPUCLNT.DLL",
        "C:\\Windows\\System32\\keyiso.dll",
        "C:\\Windows\\System32\\ngcpopkeysrv.dll",
        "C:\\Windows\\System32\\SecureTimeAggregator.dll",
        "C:\\Windows\\System32\\vaultsvc.dll"
  )

Install detection rules in Elastic Security

Detect Suspicious Module Loaded by LSASS in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).