Installation of Security Support Provider
Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/18"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may
13abuse this to establish persistence in an environment.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Installation of Security Support Provider"
20risk_score = 47
21rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "medium"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and
37 registry.path : (
38 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
39 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*",
40 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
41 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*"
42 ) and
43 not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1547"
51name = "Boot or Logon Autostart Execution"
52reference = "https://attack.mitre.org/techniques/T1547/"
53[[rule.threat.technique.subtechnique]]
54id = "T1547.005"
55name = "Security Support Provider"
56reference = "https://attack.mitre.org/techniques/T1547/005/"
57
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
64
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1112"
71name = "Modify Registry"
72reference = "https://attack.mitre.org/techniques/T1112/"
73
74[rule.threat.tactic]
75id = "TA0005"
76name = "Defense Evasion"
77reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Image File Execution Options Injection
- Persistence via Hidden Run Key Detected
- Registry Persistence via AppInit DLL
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Suspicious ImagePath Service Creation