Potential LSA Authentication Package Abuse

  1[metadata]
  2creation_date = "2021/01/21"
  3integration = ["endpoint", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for
 11privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be
 12executed by SYSTEM when the authentication packages are loaded.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential LSA Authentication Package Abuse"
 19risk_score = 47
 20rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb"
 21severity = "medium"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Privilege Escalation",
 27    "Data Source: Elastic Endgame",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Microsoft Defender for Endpoint",
 30    "Resources: Investigation Guide",
 31]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36registry where host.os.type == "windows" and event.type == "change" and
 37  registry.path : (
 38      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages",
 39      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages"
 40  ) and
 41  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
 42  not user.id : "S-1-5-18"
 43'''
 44note = """## Triage and analysis
 45
 46> **Disclaimer**:
 47> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 48
 49### Investigating Potential LSA Authentication Package Abuse
 50
 51The Local Security Authority (LSA) in Windows manages authentication and security policies. Adversaries exploit LSA by modifying registry paths to include malicious binaries, which are executed with SYSTEM privileges during authentication package loading. The detection rule identifies unauthorized registry changes by non-SYSTEM users, signaling potential privilege escalation or persistence attempts.
 52
 53### Possible investigation steps
 54
 55- Review the registry change event details to identify the specific binary path added to the LSA Authentication Packages registry key.
 56- Investigate the user account associated with the registry change event to determine if it is a legitimate user or potentially compromised.
 57- Check the timestamp of the registry modification to correlate with any other suspicious activities or events on the system around the same time.
 58- Analyze the binary referenced in the registry change for any known malicious signatures or behaviors using antivirus or threat intelligence tools.
 59- Examine system logs and security events for any signs of privilege escalation or persistence techniques used by the adversary.
 60- Assess the system for any additional unauthorized changes or indicators of compromise that may suggest further malicious activity.
 61
 62### False positive analysis
 63
 64- Legitimate software installations or updates may modify the LSA authentication package registry path. Users should verify if recent installations or updates coincide with the detected changes and consider excluding these specific software processes if they are deemed safe.
 65- System administrators or IT management tools might perform authorized changes to the registry for maintenance or configuration purposes. Users can create exceptions for known administrative tools or processes that are regularly used for legitimate system management tasks.
 66- Security software or endpoint protection solutions may alter the registry as part of their normal operation. Users should identify and whitelist these security applications to prevent unnecessary alerts.
 67- Custom scripts or automation tools used within the organization might inadvertently trigger this rule. Users should review and document these scripts, ensuring they are secure, and exclude them if they are confirmed to be non-threatening.
 68
 69### Response and remediation
 70
 71- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 72- Terminate any suspicious processes associated with the unauthorized registry change to halt potential malicious activity.
 73- Restore the modified registry path to its original state by removing any unauthorized entries in the LSA Authentication Packages registry key.
 74- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious binaries or remnants.
 75- Review and reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges.
 76- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 77- Implement enhanced monitoring and logging for registry changes, particularly those involving LSA authentication packages, to detect and respond to similar threats in the future."""
 78
 79
 80[[rule.threat]]
 81framework = "MITRE ATT&CK"
 82[[rule.threat.technique]]
 83id = "T1547"
 84name = "Boot or Logon Autostart Execution"
 85reference = "https://attack.mitre.org/techniques/T1547/"
 86[[rule.threat.technique.subtechnique]]
 87id = "T1547.002"
 88name = "Authentication Package"
 89reference = "https://attack.mitre.org/techniques/T1547/002/"
 90
 91
 92
 93[rule.threat.tactic]
 94id = "TA0004"
 95name = "Privilege Escalation"
 96reference = "https://attack.mitre.org/tactics/TA0004/"
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1547"
101name = "Boot or Logon Autostart Execution"
102reference = "https://attack.mitre.org/techniques/T1547/"
103[[rule.threat.technique.subtechnique]]
104id = "T1547.002"
105name = "Authentication Package"
106reference = "https://attack.mitre.org/techniques/T1547/002/"
107
108
109
110[rule.threat.tactic]
111id = "TA0003"
112name = "Persistence"
113reference = "https://attack.mitre.org/tactics/TA0003/"