LSA PPL Protection Setting Modification via CommandLine (8c0eca51-0f88-4db2-9183-fdfb10c703f9)
Detects modification of LSA PPL protection settings via CommandLine. It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Downgrade Attack - T1689 (30904c16-39f9-41c6-b01a-500eb8878442) | Attack Pattern | LSA PPL Protection Setting Modification via CommandLine (8c0eca51-0f88-4db2-9183-fdfb10c703f9) | Sigma-Rules | 1 |