Potential LSA Authentication Package Abuse
Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/21"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for
13privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be
14executed by SYSTEM when the authentication packages are loaded.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential LSA Authentication Package Abuse"
21risk_score = 47
22rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29registry where host.os.type == "windows" and event.type == "change" and
30 registry.path : (
31 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages",
32 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages"
33 ) and
34 /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
35 not user.id : "S-1-5-18"
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1547"
43name = "Boot or Logon Autostart Execution"
44reference = "https://attack.mitre.org/techniques/T1547/"
45[[rule.threat.technique.subtechnique]]
46id = "T1547.002"
47name = "Authentication Package"
48reference = "https://attack.mitre.org/techniques/T1547/002/"
49
50
51
52[rule.threat.tactic]
53id = "TA0004"
54name = "Privilege Escalation"
55reference = "https://attack.mitre.org/tactics/TA0004/"
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1547"
60name = "Boot or Logon Autostart Execution"
61reference = "https://attack.mitre.org/techniques/T1547/"
62[[rule.threat.technique.subtechnique]]
63id = "T1547.002"
64name = "Authentication Package"
65reference = "https://attack.mitre.org/techniques/T1547/002/"
66
67
68
69[rule.threat.tactic]
70id = "TA0003"
71name = "Persistence"
72reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Bypass UAC via Event Viewer
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of a new GPO Scheduled Task or Service
- Disabling User Account Control via Registry Modification