Description
Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.
The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
Platforms
Mitigations (1)
Privileged Process IntegrityM1025
Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0002 | Mimikatz | Tool | The [Mimikatz](https://attack.mitre.org/software/S0002) credential dumper contains an implementation of an SSP.(Citation: Deply Mimikatz) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can enumerate Security Support Providers (SSPs) as well as utilize [PowerSploit](https://attack.mitr... |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194)'s <code>Install-SSP</code> Persistence module can be used to establish by installing a SSP DLL.... |
References
- Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
- Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.
Frequently Asked Questions
What is T1547.005 (Security Support Provider)?
T1547.005 is a MITRE ATT&CK technique named 'Security Support Provider'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded...
How can T1547.005 be detected?
Detection of T1547.005 (Security Support Provider) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1547.005?
There are 1 documented mitigations for T1547.005. Key mitigations include: Privileged Process Integrity.
Which threat groups use T1547.005?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.