{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/dell-inc/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Algorithmic Research LTD.","Amazon Web Services, Inc.","Apple Inc.","Audinate Pty Ltd","AuriStor, Inc.","Bit4id","Carbon Black, Inc.","Check Point Software Technologies Ltd.","Citrix Systems, Inc.","CyberArk Software Ltd.","Dell Inc","DigitalPersona, Inc.","EasyAntiCheat Oy","Entrust Corporation","Entrust Datacard Corporation","Entrust, Inc.","F5 Networks Inc","Fortinet","FrontRange Solutions Deutschland GmbH","GEMALTO SA","Hewlett-Packard Company","HID Global","HYPR Corp","IDEMIA IDENTITY \u0026 SECURITY FRANCE SAS","Intel","Istituto Poligrafico e Zecca dello Stato S.p.A.","LogMeIn, Inc.","McAfee","Micro Focus","Microsoft","Morphisec Information Security 2014 Ltd","Musarubra US LLC","National Instruments Corporation","Novell, Inc.","Nubeva Technologies Ltd","NVIDIA","Palo Alto Networks","Parallels International GmbH","PGP Corporation","QUEST SOFTWARE INC.","SecMaker AB","Secure Endpoints, Inc.","SecureLink, Inc.","SentinelOne Inc.","SentryBay Limited","Sophos Ltd","Symantec Corporation","Thales DIS CPL USA, Inc.","Tidexa OU","Trend Micro","VMware","Yubico AB"],"content_html":"\u003cp\u003eThis rule detects the loading of unsigned or untrusted DLLs into the Local Security Authority Subsystem Service (LSASS) process on Windows systems. LSASS is a critical component responsible for managing security policies and handling user authentication, making it a prime target for credential theft. Attackers often attempt to load malicious DLLs into LSASS to gain access to encrypted and plaintext passwords. This can lead to the compromise of user accounts, including domain administrator accounts. The Elastic detection rule identifies such threats by monitoring for DLLs loaded into the LSASS process that do not have valid code signatures from trusted vendors, or that do not match a list of known good DLL hashes or file paths. The rule was last updated in May 2026, but the underlying threat remains relevant for modern environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., phishing, exploiting vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains local administrator privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the file system.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the system to load the malicious DLL into the LSASS process. This can be achieved by modifying registry keys related to Security Support Providers (SSPs).\u003c/li\u003e\n\u003cli\u003eLSASS loads the malicious DLL during system startup or a subsequent event that triggers SSP loading.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts and captures credentials handled by LSASS, such as user passwords and smart card PINs.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the captured credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of user accounts, including those with domain administrator privileges. This allows the attacker to gain complete control over the affected Windows domain, potentially leading to data breaches, ransomware deployment, or other malicious activities. The impact is significant, as LSASS is a core component of the Windows security model. The number of potential victims depends on the scope of the attacker\u0026rsquo;s lateral movement and the privileges they gain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;LSASS Loading Unsigned or Untrusted DLL\u0026rdquo; to your SIEM to detect suspicious DLLs being loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event logging for process creation and module loading events to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the exclusion lists in the Sigma rule to account for legitimate software vendors and DLLs specific to your environment.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized DLLs from being loaded into critical processes like LSASS.\u003c/li\u003e\n\u003cli\u003eMonitor registry modifications related to Security Support Providers (SSPs) to detect unauthorized changes that could lead to malicious DLL loading.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule promptly, following the triage and analysis steps outlined in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-lsass-suspicious-module-load/","summary":"Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.","title":"Suspicious Module Loaded by LSASS for Credential Access","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-module-load/"}],"language":"en","title":"CraftedSignal Threat Feed — Dell Inc","version":"https://jsonfeed.org/version/1.1"}