Матрица MITRE ATT&CK

Technique on mitre.org

T1547.002: Authentication Package

Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.

Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa</code> with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may abuse authentication packages to execute DLLs when the system boots.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor the Registry for changes to the LSA Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe` with AuditLevel = 8.

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe` with AuditLevel = 8.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may abuse authentication packages to execute DLLs when the system boots.
DS0024	Windows Registry: Windows Registry Key Modification	Monitor the Registry for changes to the LSA Registry keys. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe` with AuditLevel = 8.
DS0011	Module: Module Load	Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned DLLs try to load into the LSA by setting the Registry key `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe` with AuditLevel = 8.

Mitigation

ID	M1025	Name	Privileged Process Integrity	Description	Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`, which requires all DLLs loaded by LSA to be signed by Microsoft.

ID	Name	Description
M1025	Privileged Process Integrity	Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`, which requires all DLLs loaded by LSA to be signed by Microsoft.