LoFP / other tools could load images into lsass for legitimate reason. but enterprise tools should always use signed dlls.

Techniques

T1003.001

Sample rules

Unsigned Image Loaded by LSASS

source: splunk
technicques:
- T1003.001

Description

This search detects loading of unsigned images by LSASS. Deprecated because too noisy.

Detection logic

`sysmon` EventID=7 Image=*lsass.exe Signed=false 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `unsigned_image_loaded_by_lsass_filter`