LSA Authentication Package¶
Adversaries can use the auto-start mechanism provided by LSA Authentication Packages for persistence.
id: | 077b1d1b-34ff-42d2-bd48-b0e6cdd1a359 |
---|---|
categories: | enrich |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1131 Authentication Package |
Query¶
registry where hive.hklm and
registry_path == "*ControlSet*\\Control\\Lsa\\Authentication Packages*"