
Summary
This detection rule identifies instances where a Windows system drops a DLL file into the system32 directory, which may be used to intercept user credentials from the Local Security Authority Subsystem Service (LSASS). The rule is based on monitoring the command line arguments during the process creation events. Specifically, it looks for commands that contain registry related keys indicative of a password filter (e.g., `HKLM\SYSTEM\CurrentControlSet\Control\Lsa`, which is related to LSASS configuration), as well as commands that suggest the modification of system settings or installation of malicious DLLs (e.g., `reg add`). The aim is to prevent potential credential theft through unauthorized actions that leverage weak password filtering implementations or bypass mechanisms.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2020-10-29