This detection rule identifies the loading of Dynamic Link Libraries (DLLs) into the Local Security Authority Subsystem Service (LSASS) process via an undocumented Registry key. It focuses on specific Registry paths indicative of unusual behavior associated with directory service extensions, particularly targeting NTDS (Active Directory) services. The rule uses registry event logs to monitor any attempts where certain DLLs, known for their association with legitimate system operations, might be loaded into LSASS in a suspicious context. This method is commonly associated with post-exploitation techniques used by attackers to maintain access or to exfiltrate credentials stealthily. Its relevance is underscored by the historical use of tools like Mimikatz that leverage similar methods to extract sensitive data from memory. Detected events will come from systems with LSASS actively executing, ensuring we highlight only those behaviors that pose significant risks.