T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL
Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32\" and will be loaded by the lsass process at boot to archive persistence.
T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL
Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32\" and will be loaded by the lsass process at boot to archive persistence.
References: https://attack.mitre.org/techniques/T1547/002/ https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/authenticationpackages.md https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
ATT&CK Coverage
Analytic Code
LSA Authentication Package Registry Modification (Pseudocode, CAR) This search detects modifications of the registry key value via registry events.
Splunk Search - Modification of LSA Authentication Packages key value (Splunk)
event_id=13 TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages"
Test Cases
*(Requires Atomic red team) https://github.com/redcanaryco/atomic-red-team
Invoke-AtomicTest -TestGuids be2590e8-4ac3-47ac-b4b5-945820f2fbe9
Data Model Mappings
Elements from the CAR data model that are required for this analytic. This is required.
Developer Certificate of Origin
DCO signed-off-by: Thomas de Brelaz thockoro@hotmail.com