T1547.008 LSASS Driver in MITRE ATT&CK Explained

What Is T1547.008 LSASS Driver in MITRE ATT&CK?

T1547.008 LSASS Driver is a technique in the MITRE ATT&CK framework under the Persistence tactic. It refers to LSASS drivers in Windows, which are legitimate drivers loaded by the Local Security Authority Subsystem (LSASS) to manage various security policies related to authentication, encryption, and security-related system functions.

These drivers are critical for the operating system’s security infrastructure, making them a prime target for adversaries seeking to exploit high-privilege components of the system.

To read about other sub-techniques of the T1547 Boot Logon or Auto Start Execution technique, you can visit the related hub blog.

Adversary Use of T1547.008 LSASS Drive

The adversary use of the LSASS Driver is a technique employed for achieving persistent, highly-privileged execution within the Windows security architecture. The attack fundamentally exploits the configuration points that the Local Security Authority Subsystem Service (lsass.exe) uses to load necessary security modules.

To initiate the attack, an adversary must first achieve SYSTEM privileges and place a custom, malicious DLL or driver file onto the compromised system's disk. The core persistence mechanism is then implemented by modifying the Windows Registry.

The LSASS service relies on keys beneath the following root path to define which components, specifically Security Support Providers (SSPs) and Authentication Packages, it loads upon initialization.

The adversary typically injects the filename of their malicious payload into the values of key paths such as:

These keys are read by LSASS to determine the legitimate security modules required for user authentication and policy enforcement. By adding their own component here, the attacker disguises their code as a necessary, trusted part of the security subsystem.

Furthermore, in environments like Domain Controllers, adversaries may target less-common but similarly effective extension points, such as the keys related to Directory Services at:

These paths also enable execution within a high-privilege context associated with the security core. Upon the next system reboot, the LSASS service starts up and diligently reads the modified registry configuration. It attempts to load all listed packages, inadvertently executing the attacker's DLL or driver directly into its own process memory space.

Because lsass.exe executes with NT AUTHORITY\SYSTEM privileges, the malicious code inherits this highest level of privilege, ensuring persistent access that is highly resistant to standard monitoring tools. This in-process execution is a crucial step for the adversary, as it facilitates the stealthy Credential Dumping (T1003) of sensitive data, such as NTLM hashes and Kerberos tickets, without the need for easily detected external memory access or process injection techniques.

Validate Your Defenses Against the Red Report 2026 Threats