Detection rules › Splunk
LSA Authentication Packages Registry Key Modified (PowerShell)
Adversaries can use the autostart mechanism provided by Local Security Authority (LSA) authentication packages for persistence or privilege escalation by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa. The binary will then be executed by the system when the authentication packages are loaded. This use case detects modifications to registry values involving LSA authentication package configurations
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.002 Boot or Logon Autostart Execution: Authentication Package |
| Privilege Escalation | T1547.002 Boot or Logon Autostart Execution: Authentication Package |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '19656.34274'
title: LSA Authentication Packages Registry Key Modified
description: 'Adversaries can use the autostart mechanism provided by Local Security
Authority (LSA) authentication packages for persistence or privilege escalation
by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\.
The binary will then be executed by the system when the authentication packages
are loaded. This use case detects modifications to registry values involving LSA
authentication package configurations. -- Software Association: Cactus -- Atomics
T1547.002 Test #1'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") ((TERM(Set-ItemProperty)
OR TERM(sp) OR (TERM(reg) TERM(add)))) ("HKLM" OR "HKEY_LOCAL_MACHINE") ("lsa" "Authenticaton
Packages") | table _time, host, user, parent_process*, process, process_*, signature_id,
user_id | bin span=1s | stats values(*) as * by _time, host '
techniques:
- privilege-escalation:boot or logon autostart execution:authentication package
- persistence:boot or logon autostart execution:authentication package
technique_id:
- T1547.002
data_category:
- PowerShell logs
references:
- https://www.crysys.hu/publications/files/skywiper.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md#atomic-test-1---authentication-package
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<" OR TERM(EventCode=4104) OR "<EventID>4104<") ((TERM(Set-ItemProperty) OR TERM(sp) OR (TERM(reg) TERM(add)))) ("HKLM" OR "HKEY_LOCAL_MACHINE") ("lsa" "Authenticaton Packages")
Stage 2: table
| table _time, host, user, parent_process*, process, process_*, signature_id, user_id
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | "Set-ItemProperty" |
| 1 | TERM |
| 1 | sp |
| 1 | TERM |
| 1 | reg |
| 1 | TERM |
| 1 | add |
| 1 | "HKLM" |
| 1 | "HKEY_LOCAL_MACHINE" |
| 1 | "lsa" |
| 1 | "Authenticaton Packages" |