Installation of Security Support Provider

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/18"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may
13abuse this to establish persistence in an environment.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Installation of Security Support Provider"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24risk_score = 47
25rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32registry where host.os.type == "windows" and
33   registry.path : (
34      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
35      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*",
36      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*",
37      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*"
38   ) and
39   not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1547"
47name = "Boot or Logon Autostart Execution"
48reference = "https://attack.mitre.org/techniques/T1547/"
49[[rule.threat.technique.subtechnique]]
50id = "T1547.005"
51name = "Security Support Provider"
52reference = "https://attack.mitre.org/techniques/T1547/005/"
53
54
55
56[rule.threat.tactic]
57id = "TA0003"
58name = "Persistence"
59reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

Related rules

to-top