LSASS Driver (T1177)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • LSASS Driver

Associated Tactics

  • Execution
  • Persistence

Execution (TA0002)

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

View on ATT&CK

Procedure Examples

Description Source(s)
Microsoft. (n.d.). Security Subsystem Architecture. Retrieved November 27, 2017. Microsoft Security Subsystem
Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017. Microsoft LSA Protection Mar 2014
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. TechNet Autoruns
Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved November 27, 2017. Microsoft DLL Security