1. Home
  2. Techniques
  3. Enterprise
  4. Boot or Logon Autostart Execution
  5. Security Support Provider

Boot or Logon Autostart Execution: Security Support Provider

ID Name
T1547.001 Registry Run Keys / Startup Folder
T1547.002 Authentication Package
T1547.003 Time Providers
T1547.004 Winlogon Helper DLL
T1547.005 Security Support Provider
T1547.006 Kernel Modules and Extensions
T1547.007 Re-opened Applications
T1547.008 LSASS Driver
T1547.009 Shortcut Modification
T1547.010 Port Monitors
T1547.012 Print Processors
T1547.013 XDG Autostart Entries
T1547.014 Active Setup
T1547.015 Login Items

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.[1]

ID: T1547.005
Sub-technique of:  T1547
Platforms: Windows
Version: 1.1
Created: 24 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0363 Empire

Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.[2]
S0002 Mimikatz

The Mimikatz credential dumper contains an implementation of an SSP.[3]
S0194 PowerSploit

PowerSploit's Install-SSP Persistence module can be used to establish by installing a SSP DLL.[4][5]

Mitigations

ID Mitigation Description
M1025 Privileged Process Integrity

Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft. [1] [6]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0542 Registry and LSASS Monitoring for Security Support Provider Abuse AN1495

Monitor registry modifications to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages or ...\OSConfig\Security Packages, especially insertions of new DLL entries. Correlate this with subsequent DLL module loads into lsass.exe. Track unsigned or anomalous DLLs loading into LSASS using image load auditing. LSASS loads unsigned DLL due to AuditLevel=8 registry configuration or System reboot followed by DLL load into lsass.exe

References

  1. Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  3. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  1. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  2. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  3. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.