persistence-info.github.io/Data/lsaaextension.md at main · persistence-info/persistence-info.github.io

LSA Extension

Location:

HKLM\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv

Classification:

Criteria	Value
Permissions	Admin¹
Security context	System
Persistence type	Registry
Code type	DLL
Launch type	Automatic
Impact	Non-destructive
OS Version	All OS versions
Dependencies	OS only
Toolset	Scriptable

Description:

The REG_MULTI_SZ value named Extensions contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.

References:

https://twitter.com/0gtweet/status/1476286368385019906

Credits:

0gtweet

Remarks:

TrustedInstaller required ↩

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LSA Extension

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks:

FilesExpand file tree

lsaaextension.md

Latest commit

History

lsaaextension.md

File metadata and controls

LSA Extension

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks:

Footnotes