Security Support Provider (SSP) Added to LSA Configuration
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
Sigma rule (View on GitHub)
1title: Security Support Provider (SSP) Added to LSA Configuration
2id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
3status: test
4description: |
5 Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
6references:
7 - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
8 - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
9author: iwillkeepwatch
10date: 2019-01-18
11modified: 2022-08-09
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.t1547.005
16logsource:
17 category: registry_event
18 product: windows
19detection:
20 selection:
21 TargetObject|endswith:
22 - '\Control\Lsa\Security Packages'
23 - '\Control\Lsa\OSConfig\Security Packages'
24 filter_main_msiexec:
25 Image:
26 - 'C:\Windows\system32\msiexec.exe'
27 - 'C:\Windows\syswow64\MsiExec.exe'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Unknown
31level: high
References
-
Install-SSP SYNOPSIS Installs a security support provider (SSP) dll. Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None SYNTAX I...
Read More -
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- APT27 - Emissary Panda Activity