You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL
Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32" and will be loaded by the lsass process at boot to archive persistence.
T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL
Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32" and will be loaded by the lsass process at boot to archive persistence.
References:
https://attack.mitre.org/techniques/T1547/002/
https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/authenticationpackages.md
https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
ATT&CK Coverage
Analytic Code
LSA Authentication Package Registry Modification (Pseudocode, CAR)
This search detects modifications of the registry key value via registry events.
Splunk Search - Modification of LSA Authentication Packages key value (Splunk)
event_id=13 TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages"Test Cases
*(Requires Atomic red team) https://github.com/redcanaryco/atomic-red-team
Invoke-AtomicTest -TestGuids be2590e8-4ac3-47ac-b4b5-945820f2fbe9Data Model Mappings
Elements from the CAR data model that are required for this analytic. This is required.
Developer Certificate of Origin
DCO signed-off-by: Thomas de Brelaz [email protected]
The text was updated successfully, but these errors were encountered: