Ghost in LSASS: Detecting KslKatz Credential Dumping Framework

This report provides a Kusto detection query and an explainable scoring model to identify suspicious modifications to the KslD Windows kernel driver (registry changes to the KslD service, non‑Defender AllowedProcessName entries, vulnerable ImagePath values, and driver file artifacts such as KslD.sys/vKslD.sys and a specific SHA256). The rule uses left outer joins between registry and file telemetry, flags user-writable or privileged initiators, and assigns a simple suspicion score to prioritize investigations.