T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL

[hunty-dumpy]

T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL

Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32\" and will be loaded by the lsass process at boot to archive persistence.

References: https://attack.mitre.org/techniques/T1547/002/ https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/authenticationpackages.md https://pentestlab.blog/2019/10/21/persistence-security-support-provider/

ATT&CK Coverage

Technique	Level of Coverage
T1547.002	Moderate

Analytic Code

LSA Authentication Package Registry Modification (Pseudocode, CAR) This search detects modifications of the registry key value via registry events.

reg_keys = search Registry:value_edit
lsa_authpackage_reg_key = filter reg_keys where (value="Authentication Packages") AND reg_keys (key="HKLM\SYSTEM\CurrentControlSet\Control\Lsa")
output lsa_authpackage_reg_key

Splunk Search - Modification of LSA Authentication Packages key value (Splunk)

event_id=13 TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages"

Test Cases

*(Requires Atomic red team) https://github.com/redcanaryco/atomic-red-team Invoke-AtomicTest -TestGuids be2590e8-4ac3-47ac-b4b5-945820f2fbe9

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Object	Action	Field
Registry	value_edit	key
Registry	value_edit	value

Developer Certificate of Origin

DCO signed-off-by: Thomas de Brelaz thockoro@hotmail.com