Description
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)
Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.
Platforms
Mitigations (1)
Privileged Process IntegrityM1025
Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0143 | Flame | Malware | [Flame](https://attack.mitre.org/software/S0143) can use Windows Authentication Packages for persistence.(Citation: Crysys Skywiper) |
References
- Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
- Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.
- Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017.
Frequently Asked Questions
What is T1547.002 (Authentication Package)?
T1547.002 is a MITRE ATT&CK technique named 'Authentication Package'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They...
How can T1547.002 be detected?
Detection of T1547.002 (Authentication Package) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.002?
There are 1 documented mitigations for T1547.002. Key mitigations include: Privileged Process Integrity.
Which threat groups use T1547.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.