Security Support Provider (T1547.005)

Information

• Name: Security Support Provider

• ID: T1547.005

• Tactics: ,

• Technique:

Introduction

Security Support Provider (SSP) manipulation, identified as sub-technique T1547.005 within the MITRE ATT&CK framework, involves adversaries modifying or adding malicious Security Support Providers to achieve persistence or escalate privileges on Windows systems. Security Support Providers are dynamic-link libraries (DLLs) that extend authentication capabilities and are loaded by the Local Security Authority (LSA) process (lsass.exe) during system startup. By exploiting this mechanism, attackers can ensure their malicious code runs at system startup, often with elevated privileges and persistence.

Deep Dive Into Technique

Security Support Providers (SSPs) are components that Windows uses to facilitate authentication processes. They are registered in the Windows Registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

or

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

Attackers typically exploit this technique by either:

• Adding a malicious DLL to the existing list of SSPs in the registry.

• Replacing or modifying an existing legitimate SSP DLL with a malicious version.

Technical execution methods and mechanisms include:

• DLL Injection via SSP: Attackers create a malicious DLL that exports the required SSP interface functions (e.g., SpLsaModeInitialize, SpUserModeInitialize). When the Local Security Authority Subsystem Service (lsass.exe) starts, it loads all registered SSP DLLs, including the malicious one, thus executing attacker-controlled code.

• Registry Modification: Attackers modify registry keys to reference their malicious DLLs. For instance, they add the malicious DLL's name to the Security Packages registry value, causing the system to load it during startup.

• Privilege Escalation and Persistence: Because the SSP DLLs are loaded by the privileged LSASS process, attackers gain SYSTEM-level privileges. This makes SSP manipulation a powerful technique for persistence, privilege escalation, and credential theft.

Real-world procedures typically involve:

• Crafting custom malicious SSP DLLs designed to steal credentials or maintain persistence.

• Using tools or scripts to modify registry entries remotely or locally.

• Utilizing compromised administrative credentials to modify the registry and deploy malicious DLLs.

When this Technique is Usually Used

Attackers commonly utilize SSP manipulation in various stages and scenarios, including:

• Persistence Stage: After initial compromise, attackers use SSP manipulation to ensure long-term persistence, surviving system reboots and security audits.

• Privilege Escalation Stage: Leveraging the high-level privileges of the LSASS process, attackers escalate privileges from standard user accounts to SYSTEM-level access.

• Credential Theft Stage: Malicious SSP DLLs can intercept authentication data, usernames, passwords, hashes, or tokens, facilitating lateral movement and further compromise.

Attack scenarios commonly associated with SSP manipulation:

• Advanced Persistent Threat (APT) operations targeting critical infrastructure, government entities, or large enterprises.

• Cyber espionage campaigns seeking stealthy, long-term access to sensitive credentials.

• Ransomware operations that require persistent access to maintain control and continue lateral movement.

How this Technique is Usually Detected

Detection of SSP manipulation involves multiple strategies and tools, including:

• Registry Monitoring:

  • Monitor changes to the registry keys related to SSPs:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

  • Tools like Sysmon, Windows Event Logs, or Endpoint Detection and Response (EDR) solutions can alert on suspicious registry modifications.

• DLL Monitoring and Integrity Checks:

  • Monitor the loading of new or unusual DLLs into the LSASS process (lsass.exe).

  • Utilize process monitoring tools (Process Monitor, Sysinternals Suite) and endpoint protection platforms to detect unauthorized DLL injections.

• Behavioral Analysis & Endpoint Detection and Response (EDR):

  • EDR tools such as Microsoft Defender for Endpoint, CrowdStrike Falcon, Carbon Black, and SentinelOne can detect suspicious behavior associated with LSASS process manipulation.

  • Behavioral analytics can identify anomalies in authentication processes or unusual DLL loads.

• Indicators of Compromise (IoCs):

  • Unrecognized or unsigned DLL files appearing in system directories (C:\Windows\System32) or unusual locations.

  • Suspicious registry modifications or unexpected additions to the SSP registry paths.

  • Unusual LSASS behavior, crashes, or memory anomalies.

Why it is Important to Detect This Technique

Detecting SSP manipulation is critical due to the severe potential impacts on systems and networks, including:

• High-Level Privilege Escalation: SSP manipulation grants attackers SYSTEM-level privileges, allowing full control over the compromised host.

• Persistent Threat Presence: Attackers achieve persistent access, surviving reboots, patching, and typical remediation efforts.

• Credential Theft and Lateral Movement: Malicious SSP DLLs intercept authentication data, enabling attackers to move laterally within the network, compromising additional systems and accounts.

• Stealth and Difficulty of Detection: Since SSP DLLs load within the highly privileged LSASS process, malicious activities may remain hidden from standard monitoring tools, making early detection crucial.

• Potential for Extended Damage: Undetected SSP manipulation can lead to prolonged attacker presence, data exfiltration, ransomware deployment, and further compromise of critical infrastructure or sensitive data.

Early detection and rapid response to SSP manipulation incidents can significantly reduce potential damage, limit attacker access, and prevent further compromise.

Examples

Real-world examples and documented attack scenarios involving SSP manipulation include:

• APT29 (Cozy Bear) Operations:

  • APT29 has been documented using malicious SSP DLLs to maintain persistence and harvest credentials within targeted networks.

  • Attackers deployed custom SSP DLLs, modifying registry keys to load their malicious libraries, enabling long-term espionage activities.

• Mimikatz SSP Module:

  • The widely-known credential harvesting tool Mimikatz includes an SSP module (mimilib.dll) that attackers can install as a malicious SSP.

  • Once installed, this module intercepts credentials from memory, facilitating lateral movement and privilege escalation.

• FIN7 Cybercrime Group:

  • FIN7 has leveraged SSP manipulation for credential theft and persistence in targeted financial institutions and retail environments.

  • Attackers modified SSP registry keys and deployed malicious DLLs to intercept authentication data, enabling extensive lateral movement and data exfiltration.

• TrickBot Malware Campaigns:

  • TrickBot operators have utilized SSP manipulation as part of their infection chain, deploying malicious DLLs to persistently steal credentials and enable further attacks such as ransomware deployment (e.g., Ryuk, Conti ransomware).

In these scenarios, attackers typically used:

• Custom-developed malicious DLLs designed specifically for credential exfiltration.

• Registry modification tools, scripts, or manual registry edits to load malicious SSP DLLs.

• Credential harvesting tools (e.g., Mimikatz) to intercept and exfiltrate authentication data.

The impacts of these attacks include:

• Long-term persistence and stealthy presence within compromised networks.

• Massive credential theft leading to lateral movement and further system compromise.

• Significant financial and reputational damage resulting from data breaches, ransomware deployment, and espionage activities.