Attack Chain

1. An attacker gains initial access to a Windows system through an exploit or compromised credentials (not detailed in source).
2. The attacker escalates privileges to gain administrative rights on the system.
3. The attacker modifies the registry key HKLM\SYSTEM\*\ControlSet*\Control\Lsa\Security Packages to include a path to a malicious DLL.
4. Alternatively, the attacker modifies the registry key HKLM\SYSTEM\*\ControlSet*\Control\Lsa\OSConfig\Security Packages to include a path to a malicious DLL.
5. The attacker triggers a system reboot, or restarts the LSASS process, causing the malicious SSP DLL to be loaded.
6. The malicious DLL intercepts authentication credentials and exfiltrates them or performs other malicious actions.
7. The attacker maintains persistent access to the system, even after reboots.

Impact

Successful exploitation allows attackers to achieve persistence and potentially compromise sensitive credentials handled by LSASS. This can lead to lateral movement within the network, data exfiltration, and further system compromise. The impact is significant as it bypasses standard security measures and provides a persistent foothold for malicious activities.

Recommendation

• Deploy the Sigma rule “Suspicious SSP Registry Modification” to your SIEM to detect unauthorized modifications to SSP registry keys.
• Enable Sysmon registry event logging to provide the necessary data for the Sigma rule to function.
• Continuously monitor for unexpected processes writing to the HKLM\SYSTEM\*\ControlSet*\Control\Lsa\Security Packages and HKLM\SYSTEM\*\ControlSet*\Control\Lsa\OSConfig\Security Packages registry keys.
• Review and whitelist legitimate software installers that frequently modify these registry entries to reduce false positives as mentioned in the brief.
• Ensure access controls and permissions are strictly enforced to limit unauthorized modification of critical registry paths related to Security Support Providers.