{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ssp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike FDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","registry-modification","ssp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can abuse the Windows Security Support Provider (SSP) mechanism to establish persistence on a compromised system. SSPs are DLLs loaded into the Local Security Authority Subsystem Service (LSASS) process, which handles authentication in Windows. By modifying specific registry keys related to SSP configuration, attackers can force LSASS to load malicious DLLs at startup, effectively creating a persistent backdoor. This technique is often used to maintain unauthorized access to a system even after a reboot. The registry keys of interest are \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e. Successful exploitation allows the attacker to intercept and manipulate authentication credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through an exploit or compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e to include a path to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a system reboot, or restarts the LSASS process, causing the malicious SSP DLL to be loaded.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts authentication credentials and exfiltrates them or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the system, even after reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence and potentially compromise sensitive credentials handled by LSASS. This can lead to lateral movement within the network, data exfiltration, and further system compromise. The impact is significant as it bypasses standard security measures and provides a persistent foothold for malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious SSP Registry Modification\u0026rdquo; to your SIEM to detect unauthorized modifications to SSP registry keys.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eContinuously monitor for unexpected processes writing to the \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\Security Packages\u003c/code\u003e and \u003ccode\u003eHKLM\\SYSTEM\\*\\ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages\u003c/code\u003e registry keys.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installers that frequently modify these registry entries to reduce false positives as mentioned in the brief.\u003c/li\u003e\n\u003cli\u003eEnsure access controls and permissions are strictly enforced to limit unauthorized modification of critical registry paths related to Security Support Providers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-ssp-registry-modification/","summary":"Adversaries may modify the Windows Security Support Provider (SSP) configuration in the registry to establish persistence or evade defenses.","title":"Suspicious Modifications to Windows Security Support Provider (SSP) Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-ssp-registry-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Ssp","version":"https://jsonfeed.org/version/1.1"}