HKLM\SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv
| Criteria | Value |
|---|---|
| Permissions | Admin1 |
| Security context | System |
| Persistence type | Registry |
| Code type | DLL |
| Launch type | Automatic |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
The REG_MULTI_SZ value named Extensions contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
https://twitter.com/0gtweet/status/1476286368385019906
Footnotes
-
TrustedInstaller required ↩