Potential LSA Authentication Package Abuse
Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/21"
3integration = ["endpoint", "m365_defender"]
4maturity = "production"
5updated_date = "2024/10/10"
6
7[rule]
8author = ["Elastic"]
9description = """
10Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for
11privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be
12executed by SYSTEM when the authentication packages are loaded.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential LSA Authentication Package Abuse"
19risk_score = 47
20rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb"
21severity = "medium"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Privilege Escalation",
27 "Data Source: Elastic Endgame",
28 "Data Source: Elastic Defend",
29 "Data Source: Microsoft Defender for Endpoint",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35registry where host.os.type == "windows" and event.type == "change" and
36 registry.path : (
37 "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages",
38 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Authentication Packages"
39 ) and
40 /* exclude SYSTEM SID - look for changes by non-SYSTEM user */
41 not user.id : "S-1-5-18"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1547"
49name = "Boot or Logon Autostart Execution"
50reference = "https://attack.mitre.org/techniques/T1547/"
51[[rule.threat.technique.subtechnique]]
52id = "T1547.002"
53name = "Authentication Package"
54reference = "https://attack.mitre.org/techniques/T1547/002/"
55
56
57
58[rule.threat.tactic]
59id = "TA0004"
60name = "Privilege Escalation"
61reference = "https://attack.mitre.org/tactics/TA0004/"
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1547"
66name = "Boot or Logon Autostart Execution"
67reference = "https://attack.mitre.org/techniques/T1547/"
68[[rule.threat.technique.subtechnique]]
69id = "T1547.002"
70name = "Authentication Package"
71reference = "https://attack.mitre.org/techniques/T1547/002/"
72
73
74
75[rule.threat.tactic]
76id = "TA0003"
77name = "Persistence"
78reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Disabling User Account Control via Registry Modification
- Potential Port Monitor or Print Processor Registration Abuse
- Potential privilege escalation via CVE-2022-38028
- Privilege Escalation via Named Pipe Impersonation
- Suspicious Print Spooler File Deletion