Installation of Security Support Provider

Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may
13abuse this to establish persistence in an environment.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Installation of Security Support Provider"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24risk_score = 47
25rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32registry where host.os.type == "windows" and
33   registry.path : (
34      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
35      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*",
36      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
37      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*"
38   ) and
39   not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1547"
47name = "Boot or Logon Autostart Execution"
48reference = "https://attack.mitre.org/techniques/T1547/"
49[[rule.threat.technique.subtechnique]]
50id = "T1547.005"
51name = "Security Support Provider"
52reference = "https://attack.mitre.org/techniques/T1547/005/"
53
54
55
56[rule.threat.tactic]
57id = "TA0003"
58name = "Persistence"
59reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

Related rules

to-top