Potential LSA Authentication Package Abuse

Adversaries can exploit the Local Security Authority (LSA) authentication packages in Windows to escalate privileges or establish persistence. This involves modifying specific registry paths to include references to malicious binaries. When the authentication packages are loaded, these binaries are executed with SYSTEM privileges, effectively granting the attacker elevated access. The Elastic detection rule identifies unauthorized registry changes to LSA authentication packages by non-SYSTEM users, signaling potential malicious activity. This technique can be used for long-term persistence or immediate privilege escalation, allowing attackers to perform unauthorized actions on the compromised system. The rule leverages data from Elastic Defend and Microsoft Defender XDR to detect these unauthorized modifications.

Attack Chain

1. An attacker gains initial access to a system through unspecified means.
2. The attacker identifies the HKLM\SYSTEM\*\ControlSet*\Control\Lsa\Authentication Packages registry key as a target for persistence and privilege escalation.
3. The attacker modifies the registry key to include a path to a malicious binary. This binary will be loaded as an authentication package.
4. The operating system loads the LSA authentication packages during system startup or user logon.
5. The malicious binary, now executed with SYSTEM privileges, performs actions dictated by the attacker.
6. This could involve creating new user accounts with administrative privileges, installing backdoors, or disabling security controls.
7. The attacker establishes persistence, ensuring that the malicious binary is executed every time the system starts or a user logs on.

Impact

Successful exploitation of LSA authentication packages allows an attacker to gain SYSTEM-level privileges on the compromised system. This can lead to complete system compromise, data theft, and the installation of persistent backdoors. The rule aims to detect unauthorized changes to these packages, preventing attackers from establishing persistence and escalating privileges.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune for your environment to detect unauthorized changes to the LSA authentication packages.
• Investigate any alerts generated by the Sigma rules, focusing on registry changes made by non-SYSTEM users to the HKLM\SYSTEM\*\ControlSet*\Control\Lsa\Authentication Packages registry key.
• Enable registry auditing to capture changes to sensitive registry keys, including the LSA authentication packages path, to improve detection capabilities.
• Utilize Elastic Defend and Microsoft Defender XDR for endpoint detection and response, as these data sources are specifically supported by the detection rule.