Installation of Security Support Provider

Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/18"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may
 13abuse this to establish persistence in an environment.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Installation of Security Support Provider"
 20risk_score = 47
 21rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Persistence",
 28    "Tactic: Defense Evasion",
 29    "Data Source: Elastic Endgame",
 30    "Data Source: Elastic Defend",
 31    "Data Source: Sysmon",
 32    "Data Source: Microsoft Defender for Endpoint",
 33    "Data Source: SentinelOne",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40registry where host.os.type == "windows" and event.type == "change" and
 41   registry.path : (
 42      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
 43      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*",
 44      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
 45      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*",
 46      "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
 47      "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*"
 48   ) and
 49   not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")
 50'''
 51note = """## Triage and analysis
 52
 53> **Disclaimer**:
 54> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 55
 56### Investigating Installation of Security Support Provider
 57
 58Security Support Providers (SSPs) in Windows environments facilitate authentication processes. Adversaries may exploit SSPs by modifying registry entries to maintain persistence or evade defenses. The detection rule identifies suspicious changes to specific registry paths associated with SSPs, excluding legitimate processes like msiexec.exe, to flag potential unauthorized modifications indicative of malicious activity.
 59
 60### Possible investigation steps
 61
 62- Review the registry change event details to identify the specific registry path that was modified, focusing on paths related to "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages" and "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages".
 63- Investigate the process responsible for the registry modification by examining the process executable path, ensuring it is not a legitimate process like "C:\\Windows\\System32\\msiexec.exe" or "C:\\Windows\\SysWOW64\\msiexec.exe".
 64- Check the historical activity of the identified process to determine if it has been involved in other suspicious activities or registry changes.
 65- Analyze the user account context under which the process was executed to assess if it aligns with expected behavior or if it indicates potential compromise.
 66- Correlate the event with other security alerts or logs from data sources such as Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and identify any related malicious activity.
 67- Evaluate the potential impact of the registry change on system security and persistence mechanisms, considering the MITRE ATT&CK tactic of Persistence and technique T1547.
 68
 69### False positive analysis
 70
 71- Legitimate software installations or updates may trigger registry changes in SSP paths. Users can create exceptions for known software installers or updaters that frequently modify these registry entries.
 72- System administrators performing routine maintenance or configuration changes might inadvertently cause registry modifications. Document and exclude these activities when they are verified as non-threatening.
 73- Security software updates, including those from Microsoft or third-party vendors, may alter SSP configurations as part of their normal operation. Monitor and whitelist these updates to prevent false alerts.
 74- Automated deployment tools or scripts that modify system settings could lead to false positives. Ensure these tools are accounted for and excluded if they are part of regular operations.
 75- Custom scripts or applications developed in-house that interact with SSP registry paths should be reviewed and excluded if they are deemed safe and necessary for business operations.
 76
 77### Response and remediation
 78
 79- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 80- Terminate any suspicious processes that are not whitelisted, especially those modifying the registry paths associated with Security Support Providers.
 81- Restore the modified registry entries to their original state using a known good backup or by manually correcting the entries to remove unauthorized changes.
 82- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious software or artifacts.
 83- Review and update access controls and permissions to ensure that only authorized personnel can modify critical registry paths related to Security Support Providers.
 84- Monitor the affected system and network for any signs of re-infection or further suspicious activity, focusing on registry changes and process executions.
 85- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised."""
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1547"
 92name = "Boot or Logon Autostart Execution"
 93reference = "https://attack.mitre.org/techniques/T1547/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1547.005"
 96name = "Security Support Provider"
 97reference = "https://attack.mitre.org/techniques/T1547/005/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0003"
103name = "Persistence"
104reference = "https://attack.mitre.org/tactics/TA0003/"
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1112"
109name = "Modify Registry"
110reference = "https://attack.mitre.org/techniques/T1112/"
111
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Installation of Security Support Provider

Security Support Providers (SSPs) in Windows environments facilitate authentication processes. Adversaries may exploit SSPs by modifying registry entries to maintain persistence or evade defenses. The detection rule identifies suspicious changes to specific registry paths associated with SSPs, excluding legitimate processes like msiexec.exe, to flag potential unauthorized modifications indicative of malicious activity.

Possible investigation steps

  • Review the registry change event details to identify the specific registry path that was modified, focusing on paths related to "HKLM\SYSTEM*ControlSet*\Control\Lsa\Security Packages" and "HKLM\SYSTEM*ControlSet*\Control\Lsa\OSConfig\Security Packages".
  • Investigate the process responsible for the registry modification by examining the process executable path, ensuring it is not a legitimate process like "C:\Windows\System32\msiexec.exe" or "C:\Windows\SysWOW64\msiexec.exe".
  • Check the historical activity of the identified process to determine if it has been involved in other suspicious activities or registry changes.
  • Analyze the user account context under which the process was executed to assess if it aligns with expected behavior or if it indicates potential compromise.
  • Correlate the event with other security alerts or logs from data sources such as Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and identify any related malicious activity.
  • Evaluate the potential impact of the registry change on system security and persistence mechanisms, considering the MITRE ATT&CK tactic of Persistence and technique T1547.

False positive analysis

  • Legitimate software installations or updates may trigger registry changes in SSP paths. Users can create exceptions for known software installers or updaters that frequently modify these registry entries.
  • System administrators performing routine maintenance or configuration changes might inadvertently cause registry modifications. Document and exclude these activities when they are verified as non-threatening.
  • Security software updates, including those from Microsoft or third-party vendors, may alter SSP configurations as part of their normal operation. Monitor and whitelist these updates to prevent false alerts.
  • Automated deployment tools or scripts that modify system settings could lead to false positives. Ensure these tools are accounted for and excluded if they are part of regular operations.
  • Custom scripts or applications developed in-house that interact with SSP registry paths should be reviewed and excluded if they are deemed safe and necessary for business operations.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
  • Terminate any suspicious processes that are not whitelisted, especially those modifying the registry paths associated with Security Support Providers.
  • Restore the modified registry entries to their original state using a known good backup or by manually correcting the entries to remove unauthorized changes.
  • Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious software or artifacts.
  • Review and update access controls and permissions to ensure that only authorized personnel can modify critical registry paths related to Security Support Providers.
  • Monitor the affected system and network for any signs of re-infection or further suspicious activity, focusing on registry changes and process executions.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.

Related rules

to-top