← Library
sigmaDRL-1.1from SigmaHQ/sigma

Security Support Provider (SSP) Added to LSA Configuration

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

Quality
84
FP risk
Forks
0
Views
0
ATT&CK techniques
T1547.005
Rule sourcerules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml
title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: test
description: |
    Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
    - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
author: iwillkeepwatch
date: 2019-01-18
modified: 2026-03-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Control\Lsa\Security Packages'
            - '\Control\Lsa\OSConfig\Security Packages'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\system32\msiexec.exe'
            - 'C:\Windows\syswow64\MsiExec.exe'
    filter_main_image_null:
        Image: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high