Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0225: Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)

DET0225 is a detection strategy for a Windows persistence and privilege-escalation behavior: unauthorized LSASS driver or LSA plugin abuse. The business is...

EnterpriseDET0225Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0225 is a detection strategy for a Windows persistence and privilege-escalation behavior: unauthorized LSASS driver or LSA plugin abuse. The business issue is that LSASS is tied to authentication and local security policy, so unauthorized changes around LSASS can indicate durable control of a host and potential compromise of identity trust on that system.

Executive priority

Security leaders should treat coverage for this behavior as an identity and endpoint resilience question, not just malware detection. Ask whether critical Windows systems have change monitoring for LSASS-related components, whether SOC teams can distinguish approved security software from unauthorized LSA additions, and whether incident responders have a playbook for validating authentication subsystem integrity after compromise.

Technical view

The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it is explicitly related to T1547.008 LSASS Driver, which is a Windows technique under persistence and privilege escalation. SOC and detection teams should validate whether endpoint telemetry can show modification or addition of LSASS/LSA-related drivers or DLLs, whether LSASS module-loading and security subsystem configuration changes are observable, and whether alerts are correlated with authorized software deployment or administrative change records.

Likely telemetry

  • Windows endpoint configuration and registry/change telemetry related to LSA or LSASS driver/plugin registration
  • File creation, replacement, or modification events for LSASS/LSA-related DLLs or drivers
  • Process and module-load telemetry showing code loaded into or associated with LSASS
  • Endpoint detection logs and host integrity monitoring results
  • Administrative change records, software deployment logs, and allowlists for approved security/authentication components

Detection direction

  • Baseline approved LSASS/LSA-related components on Windows systems and alert on unauthorized additions or modifications.
  • Correlate LSASS-related changes with privileged administrative activity and approved deployment windows to reduce false positives from legitimate security or authentication software.
  • Prioritize high-value systems where authentication integrity matters most, such as servers, administrative workstations, and domain-connected Windows endpoints.
  • Validate that telemetry is collected before and after reboot, since persistence mechanisms may only become evident during service or system startup.
  • Account for the ATT&CK source limitation: DET0225 provides no official detection logic, so local engineering is required to translate the strategy into rules and tests.

Mitigation priorities

  • Maintain strict change control and approval for software that integrates with Windows authentication or the Local Security Authority.
  • Limit administrative rights that can modify LSASS/LSA-related components and monitor use of those privileges.
  • Use endpoint hardening, file integrity monitoring, and configuration monitoring on critical Windows assets.
  • Ensure incident response procedures include validation of LSASS/LSA component integrity when persistence or privilege escalation is suspected.
  • Document monitoring evidence for compliance and audit needs where authentication subsystem integrity is in scope.
Analyst notes and limits

This take is based on DET0225 and its relationship to ATT&CK technique T1547.008, LSASS Driver. The value of this detection strategy is in confirming whether the organization can see and explain changes to Windows authentication subsystem components, especially where persistence or privilege escalation would affect identity trust and recovery decisions.

The supplied detection strategy has no official description or detection text and does not list platforms or tactics directly. Windows, persistence, and privilege-escalation context come from the related T1547.008 relationship. Specific registry paths, event IDs, vendor telemetry, or rule logic are not included in the supplied fields and should be validated against local Windows versions, endpoint tooling, and approved software inventory.

Official MITRE ATT&CK definition

Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1547.008 LSASS Driver Sub-technique This object detects LSASS Driver.
Relationship explorer

All related ATT&CK context

detects · Technique T1547.008: LSASS Driver Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4139282f3d1e7a0c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4139282f3d1e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0225
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use