EXPLORE
Sign In
← Back to Explore
T1547.005

Security Support Provider

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <co...

Windows
6
Detections
3
Sources
0
Threat Actors

BY SOURCE

4elastic1sigma1splunk_escu

PROCEDURES (6)

Persist1 detections

Auto-extracted: 1 detections for persist

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Credential1 detections

Auto-extracted: 1 detections for credential

DETECTIONS (6)

Installation of Security Support Provider
elasticmedium
Mimikatz Memssp Log File Detected
elastichigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Security Support Provider (SSP) Added to LSA Configuration
sigmahigh
Suspicious Module Loaded by LSASS
elasticmedium
Windows Security Support Provider Reg Query
splunk_escu