Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0583: Analytic 0583

Registry modification of the LSA Authentication Packages key followed by LSASS loading a non-standard or unsigned DLL. This includes unusual write access to `HKLM\SYSTEM\CurrentControlSet\Control\Lsa`, especially during non-installation timeframes. Correlated with `lsass.exe` loading DLLs not present in baseline or lacking valid signatures.

EnterpriseAN0583AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because changes to the Windows LSA Authentication Packages registry key can affect how authentication components are loaded, and the described signal pairs that registry activity with LSASS loading a non-standard or unsigned DLL. For leaders, the decision value is whether Windows endpoint, identity, and SOC telemetry can prove that sensitive authentication-related changes are authorized, signed, and expected rather than discovered only after an incident.

Executive priority

Prioritize this as an identity and incident-readiness validation item for Windows environments. Security leaders should ask whether registry changes under HKLM\SYSTEM\CurrentControlSet\Control\Lsa are monitored, whether LSASS module loads are baselined, and whether exceptions are tied to approved software installation or change windows. This is also useful compliance evidence: it demonstrates control over privileged authentication-path changes and the ability to investigate suspicious LSASS behavior.

Technical view

The supplied analytic describes a correlation on Windows: unusual write access to HKLM\SYSTEM\CurrentControlSet\Control\Lsa, particularly outside installation timeframes, followed by lsass.exe loading DLLs that are not in a known-good baseline or lack valid signatures. SOC and detection engineering teams should validate that they can collect registry modification events for the LSA key, process/module load evidence for lsass.exe, file path and signature metadata for loaded DLLs, and change-management context for legitimate installers or endpoint security tools. No ATT&CK tactic or relationship context was supplied, so local mapping to use cases and response playbooks is required.

Likely telemetry

  • Windows registry modification events for HKLM\SYSTEM\CurrentControlSet\Control\Lsa
  • Registry value write details for the LSA Authentication Packages key
  • Process context for the registry write, including user, parent process, command line where available, and timestamp
  • LSASS module or DLL load telemetry
  • DLL file path, hash, publisher, and digital signature validity

Detection direction

  • Correlate writes to the LSA Authentication Packages registry location with subsequent DLL loads by lsass.exe.
  • Baseline normal LSASS-loaded DLLs per Windows build and managed security stack to reduce false positives.
  • Treat unsigned, invalidly signed, uncommon, or newly introduced DLLs loaded by lsass.exe as higher-priority investigation leads.
  • Tune for legitimate software installation, OS update, security tooling, and maintenance windows rather than suppressing the registry path broadly.
  • Validate telemetry completeness: many environments log registry changes but not module loads, or collect module loads without reliable signature metadata.

Mitigation priorities

  • Restrict and monitor administrative access capable of changing HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
  • Maintain change control for software that modifies authentication-related Windows configuration.
  • Ensure endpoint controls preserve visibility into LSASS module loads and file signature metadata.
  • Use application control or equivalent allowlisting where appropriate to limit unapproved DLL execution, while testing carefully for operational impact.
  • Maintain a known-good baseline of LSASS-loaded modules for managed Windows builds.
Analyst notes and limits

This is a detection analytic object, not a technique description. The most actionable point is the correlation between sensitive LSA registry modification and non-standard or unsigned DLL loading by lsass.exe. Glexia would use this to assess whether identity-protection monitoring is supported by endpoint telemetry, baselines, and change-management evidence.

The ATT&CK object supplies a description but no official detection logic, no tactics, and no relationship context. The assessment is limited to Windows because that is the only supplied platform. Local baselines, approved software inventory, endpoint logging configuration, and change records are required to determine alert severity and false-positive handling.

Official MITRE ATT&CK definition

Analytic 0583

Registry modification of the LSA Authentication Packages key followed by LSASS loading a non-standard or unsigned DLL. This includes unusual write access to `HKLM\SYSTEM\CurrentControlSet\Control\Lsa`, especially during non-installation timeframes. Correlated with `lsass.exe` loading DLLs not present in baseline or lacking valid signatures.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bd31125a3c6d6583...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bd31125a3c6d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0583
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use