Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0287: Analytic 0287

Detects modification of LSASS and authentication DLLs, suspicious registry changes to password filter packages, and abnormal process access to lsass.exe. Correlates registry modifications, DLL loads, and process handle access events.

EnterpriseAN0287AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0287 is a Windows detection analytic focused on signs that authentication components around LSASS are being modified or accessed abnormally. For leaders, this matters because LSASS and authentication DLL activity sits close to credential protection and identity assurance; gaps here can weaken confidence in incident scope, privileged-account safety, and post-incident recovery decisions.

Executive priority

Prioritize this analytic as an identity and incident-response readiness control for Windows environments. Executives should ask whether the organization can prove it monitors registry changes affecting password filter packages, DLL loads tied to authentication components, and unusual process access to lsass.exe. The business value is not just alerting; it is having defensible evidence for containment, credential reset decisions, audit inquiries, and recovery confidence after suspected credential compromise.

Technical view

For SOC and detection engineering teams, validate whether Windows telemetry can correlate three evidence types named by the ATT&CK analytic: registry modifications, DLL load events, and process handle access events involving lsass.exe or authentication-related DLLs. Because no official detection logic is supplied, teams should treat AN0287 as a coverage objective rather than a ready-to-deploy rule. Tune around legitimate administrative, security, and operating system activity that may interact with LSASS or authentication packages, and require correlation where possible to reduce noisy single-event alerts.

Likely telemetry

  • Windows registry modification events for authentication-related keys, including password filter package changes
  • DLL load telemetry for LSASS and authentication-related DLLs
  • Process handle access events involving lsass.exe
  • Process metadata such as image path, signer, parent process, user context, and command-line where available
  • Host inventory and baseline data for expected authentication components on Windows systems

Detection direction

  • Confirm that telemetry collection includes registry, DLL load, and process access visibility on Windows endpoints; missing any one class may materially reduce analytic value.
  • Build correlation across registry modification, DLL load, and lsass.exe handle access rather than relying only on isolated events.
  • Baseline expected authentication DLLs, password filter packages, and approved security tooling to reduce false positives.
  • Review privileged or security-tool activity carefully, since legitimate endpoint protection, credential management, or administrative tools may access LSASS-like surfaces.
  • Use this analytic to support triage questions: what changed, which process made the change or accessed LSASS, under which account, and whether the DLL or process is expected in that environment.

Mitigation priorities

  • Harden collection first: ensure Windows endpoints generate and forward the registry, DLL load, and process access evidence required by the analytic.
  • Limit and review administrative privileges that can modify authentication-related registry settings or introduce authentication DLLs.
  • Maintain an approved baseline of authentication packages, password filters, and security tools that legitimately interact with LSASS.
  • Integrate findings into incident response playbooks for credential risk assessment, privileged-account review, and recovery evidence.
  • Periodically test detection coverage in a controlled defensive validation program without assuming the ATT&CK entry provides complete detection logic.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique description. Its value is strongest as a coverage requirement for Windows identity-protection monitoring around LSASS, authentication DLLs, password filter package registry changes, DLL loads, and process handle access correlation.

No official detection logic, tactics, relationships, aliases, or additional ATT&CK context were supplied. This take does not assert active exploitation, attribution, impact, or guaranteed coverage. Local endpoint logging configuration, EDR visibility, baselines, and IR procedures determine practical usefulness.

Official MITRE ATT&CK definition

Analytic 0287

Detects modification of LSASS and authentication DLLs, suspicious registry changes to password filter packages, and abnormal process access to lsass.exe. Correlates registry modifications, DLL loads, and process handle access events.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cc0ccf939eaf2674...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cc0ccf939eaf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0287
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use