{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/digitalpersona/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","dll-injection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","McAfee","SecMaker AB","HID Global","Apple","Citrix Systems","Dell","Hewlett-Packard Company","Symantec Corporation","National Instruments Corporation","DigitalPersona","Novell","Gemalto","EasyAntiCheat Oy","Entrust Datacard Corporation","AuriStor","LogMeIn","VMware","Nubeva Technologies Ltd","Micro Focus","Yubico AB","Secure Endpoints","Sophos","Morphisec Information Security","Entrust","F5 Networks","Bit4id","Thales DIS CPL USA","Micro Focus International plc","HYPR Corp","Intel","PGP Corporation","Parallels International GmbH","FrontRange Solutions Deutschland GmbH","SecureLink","Tidexa OU","Amazon Web Services","SentryBay Limited","Audinate Pty Ltd","CyberArk Software","NVIDIA","Trend Micro","Fortinet","Carbon Black"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain sufficient access to interact with the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL onto the system, often disguised as a legitimate file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.\u003c/li\u003e\n\u003cli\u003eLSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials for lateral movement to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eLSASS Loading Untrusted DLL\u003c/code\u003e Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and review the loaded DLL\u0026rsquo;s code signature and hash.\u003c/li\u003e\n\u003cli\u003eBlock the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict which DLLs can be loaded into LSASS.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation and image load logging to provide the necessary data for detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-lsass-suspicious-dll/","summary":"Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.","title":"LSASS Loading Suspicious DLL","url":"https://feed.craftedsignal.io/briefs/2024-01-lsass-suspicious-dll/"}],"language":"en","title":"CraftedSignal Threat Feed — DigitalPersona","version":"https://jsonfeed.org/version/1.1"}