Installation of Security Support Provider

Adversaries can establish persistence by modifying registry keys related to the Windows Security Support Provider (SSP) configuration

id:43cfcfb8-e52d-4c1a-a110-3aecc09e6206 categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1101 Security Support Provider

Query

registry where
   wildcard(registry_path,
            "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages*",
            "*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages*")

Contributors

• Endgame