Potential LSA Authentication Package Abuse

Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/21"
 3integration = ["endpoint", "m365_defender"]
 4maturity = "production"
 5updated_date = "2024/10/10"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for
11privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be
12executed by SYSTEM when the authentication packages are loaded.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential LSA Authentication Package Abuse"
19risk_score = 47
20rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb"
21severity = "medium"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Privilege Escalation",
27    "Data Source: Elastic Endgame",
28    "Data Source: Elastic Defend",
29    "Data Source: Microsoft Defender for Endpoint",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35registry where host.os.type == "windows" and event.type == "change" and
36  registry.path : (
37      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages",
38      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages"
39  ) and
40  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
41  not user.id : "S-1-5-18"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1547"
49name = "Boot or Logon Autostart Execution"
50reference = "https://attack.mitre.org/techniques/T1547/"
51[[rule.threat.technique.subtechnique]]
52id = "T1547.002"
53name = "Authentication Package"
54reference = "https://attack.mitre.org/techniques/T1547/002/"
55
56
57
58[rule.threat.tactic]
59id = "TA0004"
60name = "Privilege Escalation"
61reference = "https://attack.mitre.org/tactics/TA0004/"
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1547"
66name = "Boot or Logon Autostart Execution"
67reference = "https://attack.mitre.org/techniques/T1547/"
68[[rule.threat.technique.subtechnique]]
69id = "T1547.002"
70name = "Authentication Package"
71reference = "https://attack.mitre.org/techniques/T1547/002/"
72
73
74
75[rule.threat.tactic]
76id = "TA0003"
77name = "Persistence"
78reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top