This note documents detection patterns related to LSA Persistence within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 13 | Registry value set | Critical | Detects Security Packages / Authentication Packages modification. |
| Sysmon | 12 | Registry object create/delete | High | Key creation around LSA persistence paths. |
| Security | 4657 | Registry value modified | High | Native audit if enabled. |
| Sysmon | 7 | Image loaded | Critical | Suspicious DLL loaded into lsass.exe. |
| Sysmon | 1 | Process creation | High | Payload dropper prior to persistence registration. |
| Security | 4688 | Process creation | High | Registry tooling execution context. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Security Packages altered | Extra DLL added | Critical | Core LSA persistence primitive. |
| DLL outside System32 | User path DLL | Critical | Strong malicious signal. |
| lsass loads unsigned DLL | Rare and high-value anomaly | Critical | Strong persistence clue. |
| Authentication Packages changed | Unexpected provider | Critical | Sensitive path abuse. |
| Reboot precedes load | Delayed trigger | High | LSA often activates on restart. |
| Registry write by script/tool | reg.exe / PowerShell | High | Setup clue. |
Common Tools
| Tool | Usage |
|---|---|
| reg.exe | Modify LSA package lists |
| PowerShell | Registry persistence writes |
| mimikatz | SSP insertion / auth package abuse |
| custom malware | LSA package persistence |
Relevant Artifacts
- Sysmon Event IDs 12, 13, 7, 1
- Security Event IDs 4657, 4688
- Registry paths:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- Key values:
Security PackagesAuthentication PackagesNotification Packages
- DLL path
- Prefetch for registry tools
- Amcache / ShimCache
MITRE ATT&CK References
- T1547.002 Authentication Package
- T1112 Modify Registry
Decision Tree
-
Which LSA value changed?
- Security Packages
- Authentication Packages
- Notification Packages
-
DLL path trusted?
- System32
- Temp
- AppData
-
DLL signed?
- Yes
- No
-
Trigger observed?
- Reboot
- lsass load
-
Expand:
- Adjacent credential access
- Registry timeline
- DLL provenance
-
Scope:
- Single host
- Multiple hosts
- Campaign persistence
Example Detection Templates
KQL
Sysmon
| where EventID == 13
| where TargetObject has "\\Control\\Lsa"
| project TimeGenerated, Computer, TargetObject, Details
Sysmon
| where EventID == 7
| where Image endswith "\\lsass.exe"
| project TimeGenerated, Computer, ImageLoaded
EQL
registry where registry.path like "*\\Control\\Lsa*"
sequence by host.name with maxspan=1h
[ registry where registry.path like "*\\Control\\Lsa*" ]
[ library where process.name == "lsass.exe" ]
Sigma
title: LSA Persistence Detection
id: 7e2b4c12-lsa-persistence
status: experimental
description: Detects suspicious LSA package persistence
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 13
keywords:
TargetObject|contains: '\Control\Lsa'
condition: selection and keywords
fields:
- TargetObject
- Details
falsepositives:
- Legitimate security software
level: high
tags:
- attack.persistence
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Registry monitoring | Alert on LSA writes | Critical | High-value signal |
| DLL signing checks | Validate lsass-loaded modules | Critical | Strong anomaly detection |
| Baseline package lists | Rare endpoint changes | High | Low false positives |
| Reboot correlation | Watch delayed loads | High | Confirms activation |
| Restrict admin rights | Reduce registry abuse | High | Prevent persistence |