Potential LSA Authentication Package Abuse
Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/21"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for
11privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be
12executed by SYSTEM when the authentication packages are loaded.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential LSA Authentication Package Abuse"
19risk_score = 47
20rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb"
21severity = "medium"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Privilege Escalation",
27 "Data Source: Elastic Endgame",
28 "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34registry where host.os.type == "windows" and event.type == "change" and
35 registry.path : (
36 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages",
37 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages"
38 ) and
39 /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
40 not user.id : "S-1-5-18"
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1547"
48name = "Boot or Logon Autostart Execution"
49reference = "https://attack.mitre.org/techniques/T1547/"
50[[rule.threat.technique.subtechnique]]
51id = "T1547.002"
52name = "Authentication Package"
53reference = "https://attack.mitre.org/techniques/T1547/002/"
54
55
56
57[rule.threat.tactic]
58id = "TA0004"
59name = "Privilege Escalation"
60reference = "https://attack.mitre.org/tactics/TA0004/"
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1547"
65name = "Boot or Logon Autostart Execution"
66reference = "https://attack.mitre.org/techniques/T1547/"
67[[rule.threat.technique.subtechnique]]
68id = "T1547.002"
69name = "Authentication Package"
70reference = "https://attack.mitre.org/techniques/T1547/002/"
71
72
73
74[rule.threat.tactic]
75id = "TA0003"
76name = "Persistence"
77reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Persistence via PowerShell profile
- Persistence via TelemetryController Scheduled Task Hijack