AN0629: Analytic 0629

Unauthorized creation or modification of DLLs loaded by LSASS, abnormal registry values under LSA extensions, and anomalous DLL load activity into the lsass.exe process context—correlated during boot or logon events.

EnterpriseAN0629AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because LSASS is central to Windows authentication. Unauthorized DLL creation or modification around LSASS and LSA extensions can indicate tampering with a highly sensitive identity process, especially when activity appears during boot or logon. For leaders, the practical issue is whether the organization can prove it monitors changes to authentication-related components and can investigate suspicious LSASS module loading quickly enough to protect identity systems and business continuity.

Executive priority

Prioritize this as an identity and Windows endpoint resilience control validation item. Security leaders should ask whether SOC and incident response teams have reliable visibility into LSASS-related DLL loads, LSA extension registry changes, and boot/logon-time activity. This can support incident decision-making, privileged access protection, and audit evidence around monitoring of critical authentication infrastructure. Because the ATT&CK object provides no detection logic or relationships, it should be treated as a validation prompt rather than a complete detection package.

Technical view

For Windows environments, validate collection and correlation for three evidence areas: unauthorized creation or modification of DLLs loaded by LSASS, abnormal registry values under LSA extensions, and anomalous DLL load activity in the lsass.exe process context. Correlation should pay particular attention to boot and logon windows, where the official description says this activity should be evaluated. SOC teams should define known-good LSASS-loaded modules and expected LSA extension registry values before alerting broadly, because legitimate security, authentication, and endpoint software may interact with LSASS.

Likely telemetry

Windows endpoint process and module load telemetry for lsass.exe
File creation and file modification events for DLLs associated with LSASS loading paths
Windows registry monitoring for LSA extension-related values
Boot and user logon event context for correlation
Endpoint detection and response telemetry that records image loads and process context

Detection direction

Baseline expected DLLs loaded by lsass.exe on managed Windows builds and alert on unauthorized or unusual additions or modifications.
Monitor LSA extension registry values for abnormal or unauthorized changes, with change context such as host, user, time, and nearby logon or boot events.
Correlate suspicious LSASS DLL or registry activity with boot and logon timing, as specified by the analytic description.
Tune carefully for legitimate authentication, security, and endpoint management software to reduce false positives.
Validate whether telemetry captures module loads into lsass.exe; many environments collect process starts but not image-load detail, creating a material blind spot.

Mitigation priorities

Establish and maintain an approved baseline for LSASS-loaded DLLs and LSA extension registry settings on Windows systems.
Restrict and monitor administrative access capable of modifying authentication-related files or registry locations.
Ensure endpoint controls and logging are configured to capture DLL creation/modification, relevant registry changes, and LSASS module-load activity.
Document investigation procedures for suspicious LSASS-related changes so incident responders can quickly determine whether activity is authorized.
Use the analytic as a coverage assessment input for identity security, Windows hardening, SOC monitoring, and compliance evidence rather than as a standalone control.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows only. It describes the behavior to detect but does not provide official detection logic, tactics, linked techniques, data sources, mitigations, or relationship context. Glexia interpretation therefore focuses on defensive validation around LSASS, LSA extension registry monitoring, and boot/logon correlation without extending beyond the provided fields.

No official detection query, data component mapping, tactics, or relationships were supplied. Local baselines are required to distinguish authorized LSASS-related software behavior from suspicious activity. This take does not assert active exploitation, attribution, business impact, or detection coverage.

Official MITRE ATT&CK definition

Analytic 0629

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: d7f3060ea7d0825e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`d7f3060ea7d0…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0629
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use