Potential LSA Authentication Package Abuse

  1[metadata]
  2creation_date = "2021/01/21"
  3integration = ["endpoint", "m365_defender"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for
 11privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be
 12executed by SYSTEM when the authentication packages are loaded.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential LSA Authentication Package Abuse"
 19risk_score = 47
 20rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb"
 21severity = "medium"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Privilege Escalation",
 27    "Data Source: Elastic Endgame",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Microsoft Defender XDR",
 30    "Resources: Investigation Guide",
 31]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36registry where host.os.type == "windows" and event.type == "change" and
 37  registry.path : (
 38      "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages",
 39      "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages"
 40  ) and
 41  /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
 42  not user.id : "S-1-5-18"
 43'''
 44
 45setup = """## Setup
 46
 47This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 48
 49Setup instructions: https://ela.st/install-elastic-defend
 50
 51### Additional data sources
 52
 53This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 54
 55- [Microsoft Defender XDR](https://ela.st/m365-defender)
 56"""
 57
 58note = """## Triage and analysis
 59
 60> **Disclaimer**:
 61> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 62
 63### Investigating Potential LSA Authentication Package Abuse
 64
 65The Local Security Authority (LSA) in Windows manages authentication and security policies. Adversaries exploit LSA by modifying registry paths to include malicious binaries, which are executed with SYSTEM privileges during authentication package loading. The detection rule identifies unauthorized registry changes by non-SYSTEM users, signaling potential privilege escalation or persistence attempts.
 66
 67### Possible investigation steps
 68
 69- Review the registry change event details to identify the specific binary path added to the LSA Authentication Packages registry key.
 70- Investigate the user account associated with the registry change event to determine if it is a legitimate user or potentially compromised.
 71- Check the timestamp of the registry modification to correlate with any other suspicious activities or events on the system around the same time.
 72- Analyze the binary referenced in the registry change for any known malicious signatures or behaviors using antivirus or threat intelligence tools.
 73- Examine system logs and security events for any signs of privilege escalation or persistence techniques used by the adversary.
 74- Assess the system for any additional unauthorized changes or indicators of compromise that may suggest further malicious activity.
 75
 76### False positive analysis
 77
 78- Legitimate software installations or updates may modify the LSA authentication package registry path. Users should verify if recent installations or updates coincide with the detected changes and consider excluding these specific software processes if they are deemed safe.
 79- System administrators or IT management tools might perform authorized changes to the registry for maintenance or configuration purposes. Users can create exceptions for known administrative tools or processes that are regularly used for legitimate system management tasks.
 80- Security software or endpoint protection solutions may alter the registry as part of their normal operation. Users should identify and whitelist these security applications to prevent unnecessary alerts.
 81- Custom scripts or automation tools used within the organization might inadvertently trigger this rule. Users should review and document these scripts, ensuring they are secure, and exclude them if they are confirmed to be non-threatening.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 86- Terminate any suspicious processes associated with the unauthorized registry change to halt potential malicious activity.
 87- Restore the modified registry path to its original state by removing any unauthorized entries in the LSA Authentication Packages registry key.
 88- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious binaries or remnants.
 89- Review and reset credentials for any accounts that may have been compromised, focusing on those with elevated privileges.
 90- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 91- Implement enhanced monitoring and logging for registry changes, particularly those involving LSA authentication packages, to detect and respond to similar threats in the future."""
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1547"
 98name = "Boot or Logon Autostart Execution"
 99reference = "https://attack.mitre.org/techniques/T1547/"
100[[rule.threat.technique.subtechnique]]
101id = "T1547.002"
102name = "Authentication Package"
103reference = "https://attack.mitre.org/techniques/T1547/002/"
104
105
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1547"
115name = "Boot or Logon Autostart Execution"
116reference = "https://attack.mitre.org/techniques/T1547/"
117[[rule.threat.technique.subtechnique]]
118id = "T1547.002"
119name = "Authentication Package"
120reference = "https://attack.mitre.org/techniques/T1547/002/"
121
122
123
124[rule.threat.tactic]
125id = "TA0003"
126name = "Persistence"
127reference = "https://attack.mitre.org/tactics/TA0003/"