SigmaHQ/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml
2019-02-05 16:28:06 -05:00

29 lines
997 B
YAML

title: Security Support Provider (SSP) added to LSA configuration
status: experimental
description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://attack.mitre.org/techniques/T1101/
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
tags:
- attack.persistence
- attack.t1011
author: iwillkeepwatch
date: 2019/01/18
logsource:
product: windows
service: sysmon
detection:
selection_registry:
EventID: 13
TargetObject:
- 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages'
- 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages'
exclusion_images:
- Image: C:\Windows\system32\msiexec.exe
- Image: C:\Windows\syswow64\MsiExec.exe
condition: selection_registry and not exclusion_images
falsepositives:
- Unlikely
level: critical