Security Support Provider (SSP) Added to LSA Configuration
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
Sigma rule (View on GitHub)
1title: Security Support Provider (SSP) Added to LSA Configuration
2id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
3status: test
4description: |
5 Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
6references:
7 - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
8 - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
9author: iwillkeepwatch
10date: 2019/01/18
11modified: 2022/08/09
12tags:
13 - attack.persistence
14 - attack.t1547.005
15logsource:
16 category: registry_event
17 product: windows
18detection:
19 selection:
20 TargetObject|endswith:
21 - '\Control\Lsa\Security Packages'
22 - '\Control\Lsa\OSConfig\Security Packages'
23 filter_main_msiexec:
24 Image:
25 - 'C:\Windows\system32\msiexec.exe'
26 - 'C:\Windows\syswow64\MsiExec.exe'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Add Port Monitor Persistence in Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Default RDP Port Changed to Non Standard Port
- FlowCloud Registry Markers
- New TimeProviders Registered With Uncommon DLL Name