LSA Authentication Package¶
Adversaries can use the auto-start mechanism provided by LSA Authentication Packages for persistence.
| id: | 077b1d1b-34ff-42d2-bd48-b0e6cdd1a359 |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1131 Authentication Package |
Query¶
registry where hive.hklm and
registry_path == "*ControlSet*\\Control\\Lsa\\Authentication Packages*"