Installation of Security Support Provider¶
Adversaries can establish persistence by modifying registry keys related to the Windows Security Support Provider (SSP) configuration
id: | 43cfcfb8-e52d-4c1a-a110-3aecc09e6206 |
---|---|
categories: | enrich |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1101 Security Support Provider |
Query¶
registry where
wildcard(registry_path,
"*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages*",
"*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages*")