LSA PPL Protection Setting Modification via CommandLine

Severity: medium
Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects modification of LSA PPL protection settings via CommandLine. It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.010` Impair Defenses: Downgrade Attack

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\reg.exe'
OriginalFileName: powershell.exe
OriginalFileName: pwsh.dll
OriginalFileName: reg.exe

Stage 2: `all of selection_cli_action`

or:
CommandLine|contains: ' add '
CommandLine|contains: New-ItemProperty
CommandLine|contains: Set-ItemProperty
CommandLine|contains: ControlSet
CommandLine|contains: '\Control\Lsa'

Stage 3: `all of selection_key`

or:
CommandLine|contains: IsPplAutoEnabled
CommandLine|contains: RunAsPPL
CommandLine|contains: RunAsPPLBoot

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`add` corpus 11 (sigma 11) `ControlSet` corpus 3 (sigma 3) `IsPplAutoEnabled` `New-ItemProperty` corpus 4 (sigma 4) `RunAsPPL` `RunAsPPLBoot` `Set-ItemProperty` corpus 4 (sigma 4) `\Control\Lsa`
`Image`	ends_with	`\powershell.exe` corpus 143 (sigma 143) `\pwsh.exe` corpus 140 (sigma 140) `\reg.exe` corpus 46 (sigma 46)
`OriginalFileName`	eq	`powershell.exe` corpus 8 (sigma 8) `pwsh.dll` corpus 72 (sigma 68, splunk 4) `reg.exe` corpus 29 (sigma 29)