Security Support Provider (SSP) Added to LSA Configuration

Severity: high
Author: iwillkeepwatch
Source: upstream

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547.005` Boot or Logon Autostart Execution: Security Support Provider
Privilege Escalation	`T1547.005` Boot or Logon Autostart Execution: Security Support Provider

Event coverage

Provider	Event ID	Title
Sysmon	12	RegistryEvent (Object create and delete)
Sysmon	13	RegistryEvent (Value Set)
Sysmon	14	RegistryEvent (Key and Value Rename)

Stages and Predicates

Stage 1: `selection`

or:
TargetObject|endswith: '\Control\Lsa\OSConfig\Security Packages'
TargetObject|endswith: '\Control\Lsa\Security Packages'

Stage 2: `not 1 of filter_main_*`

or:
Image: 'C:\Windows\system32\msiexec.exe'
Image: 'C:\Windows\syswow64\MsiExec.exe'
Image: null

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	eq	`C:\Windows\system32\msiexec.exe` corpus 2 (sigma 2) `C:\Windows\syswow64\MsiExec.exe` corpus 2 (sigma 2)
`TargetObject`	ends_with	`\Control\Lsa\OSConfig\Security Packages` `\Control\Lsa\Security Packages`