T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL
hunty-dumpy opened this issue · comments
T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL
Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32" and will be loaded by the lsass process at boot to archive persistence.
References:
https://attack.mitre.org/techniques/T1547/002/
https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/authenticationpackages.md
https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
ATT&CK Coverage
| Technique | Level of Coverage |
|---|---|
| T1547.002 | Moderate |
Analytic Code
LSA Authentication Package Registry Modification (Pseudocode, CAR)
This search detects modifications of the registry key value via registry events.
reg_keys = search Registry:value_edit
lsa_authpackage_reg_key = filter reg_keys where (value="Authentication Packages") AND reg_keys (key="HKLM\SYSTEM\CurrentControlSet\Control\Lsa")
output lsa_authpackage_reg_key
Splunk Search - Modification of LSA Authentication Packages key value (Splunk)
event_id=13 TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages"
Test Cases
*(Requires Atomic red team) https://github.com/redcanaryco/atomic-red-team
Invoke-AtomicTest -TestGuids be2590e8-4ac3-47ac-b4b5-945820f2fbe9
Data Model Mappings
Elements from the CAR data model that are required for this analytic. This is required.
| Object | Action | Field |
|---|---|---|
| Registry | value_edit | key |
| Registry | value_edit | value |
Developer Certificate of Origin
DCO signed-off-by: Thomas de Brelaz thockoro@hotmail.com