SOC Prime Bias: Critical

30 Mar 2026 16:15

picussecurity.com

T1547.008 LSASS Driver in MITRE ATT&CK Explained

Ruslan Mikhalov Chief of Threat Research at SOC Prime

T1547.008 LSASS Driver in MITRE ATT&CK Explained

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The article explains the LSASS Driver persistence sub-technique, T1547.008, which threat actors use to gain durable, high-privilege execution on Windows systems by abusing how LSASS loads security-related components.

Investigation

Attackers typically begin by obtaining SYSTEM privileges, then place a malicious DLL or driver on the target host and alter registry keys within the LSA configuration so that LSASS loads the rogue component during boot. In some cases, the same approach can be extended to abuse Domain Controller service extension points.

Mitigation

Defenders should watch for registry changes affecting LSA keys, require strict code-signing for drivers and DLLs, restrict write permissions on the relevant registry paths, and apply integrity monitoring to components loaded by the LSASS process.

Response

If suspicious registry changes or unexpected driver loads into lsass.exe are detected, isolate the host, capture LSASS memory for credential-focused analysis, and restore the modified registry values to a known-good state while investigating the parent process responsible.

Attack Flow

We are still updating this part. Sign up to get notified

Notify Me

Detections

Possible Credential Dumping Using MSv1_0!SpAcceptCredentials Hook (via registry_event)

SOC Prime Team

30 Mar 2026

View

Possible DLL Load via LSASS for Persistence or Code Execution (via registry_event)

SOC Prime Team

30 Mar 2026

View

Add Suspicious Library to the Security Support Providers [SSP] (via registry_event)

SOC Prime Team

30 Mar 2026

View

IOCs (Emails) to detect: T1547.008 LSASS Driver in MITRE ATT&CK Explained

SOC Prime AI Rules

30 Mar 2026

View

Detect Persistent Execution via LSASS Driver Modification [Windows Registry Event]

SOC Prime AI Rules

30 Mar 2026

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

Attack Narrative & Commands:
1. Preparation – drop malicious DLL – The adversary crafts a DLL (maliciousLSASS.dll) that, when loaded by LSASS, extracts credential hashes and writes them to %TEMP%. The DLL is staged on the victim workstation.
2. Persistence via Registry Modification – Using native reg.exe, the attacker appends the full path of the malicious DLL to the Security Packages multi‑string value, which LSASS reads during service start.
3. Trigger – The attacker forces LSASS to reload the packages by restarting the LSASS service (requires a system reboot; for the test we simulate by stopping and starting the WinDefend service which forces LSASS to reload the security packages list).

Regression Test Script:

# -------------------------------------------------
# Simulate LSASS driver persistence (T1547.008)
# -------------------------------------------------
$dllPath = "$env:USERPROFILEDesktopmaliciousLSASS.dll"
# Ensure a dummy DLL file exists (empty placeholder for test)
if (-not (Test-Path $dllPath)) {
    New-Item -Path $dllPath -ItemType File -Force | Out-Null
}

# Backup original value
$regPath = 'HKLM:SYSTEMCurrentControlSetControlLsaSecurity Packages'
$original = (Get-ItemProperty -Path $regPath -Name '(Default)' -ErrorAction SilentlyContinue).'(Default)'

# Append malicious DLL path
$newValue = @()
if ($original) { $newValue = $original -split "`0" }
$newValue += $dllPath
Set-ItemProperty -Path $regPath -Name '(Default)' -Value $newValue -Force

Write-Host "[+] Modified Security Packages registry value to include malicious DLL."

# Optional: Force LSASS to reload packages without reboot (restart dependent service)
Restart-Service -Name WinDefend -Force -ErrorAction SilentlyContinue
Write-Host "[+] Requested service restart to provoke LSASS reload."

# Pause to allow logs to be collected
Start-Sleep -Seconds 10

# Restore original value (cleanup step executed separately)

Cleanup Commands:

# -------------------------------------------------
# Cleanup after simulation
# -------------------------------------------------
$regPath = 'HKLM:SYSTEMCurrentControlSetControlLsaSecurity Packages'
# Restore the original multi‑string value captured earlier (if any)
if ($original) {
    Set-ItemProperty -Path $regPath -Name '(Default)' -Value $original -Force
} else {
    # Remove the value entirely if it was originally empty
    Remove-ItemProperty -Path $regPath -Name '(Default)' -Force -ErrorAction SilentlyContinue
}
Write-Host "[+] Restored original Security Packages registry value."

# Remove the dummy DLL
Remove-Item -Path "$env:USERPROFILEDesktopmaliciousLSASS.dll" -Force -ErrorAction SilentlyContinue
Write-Host "[+] Deleted temporary malicious DLL."

# Optional: Reboot the host to fully reset LSASS state (not required for test)
# Restart-Computer -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free