Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Security Support Provider (SSP) Added to LSA Configuration

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
iwillkeepwatchCreated Fri Jan 18Updated Mon Mar 30eeb30123-9fbd-4ee8-aaa0-2e545bbed6dcwindows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic
Detection Logic3 selectors
detection:
    selection:
        TargetObject|endswith:
            - '\Control\Lsa\Security Packages'
            - '\Control\Lsa\OSConfig\Security Packages'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\system32\msiexec.exe'
            - 'C:\Windows\syswow64\MsiExec.exe'
    filter_main_image_null:
        Image: null
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
powersploit.readthedocs.io
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
Status
test
Level
high
Type
Detection
Created
Fri Jan 18
Modified
Mon Mar 30
Author
iwillkeepwatch
Path
rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.005
View on GitHub