Authentication Package

Information

• Name: Authentication Package

• ID: T1547.002

• Tactics: ,

• Technique:

Introduction

Authentication Package (T1547.002) is a sub-technique categorized under the "Boot or Logon Autostart Execution" technique within the MITRE ATT&CK framework. Attackers leverage this sub-technique by modifying or adding authentication packages to execute malicious code whenever a user logs onto a Windows system. Authentication packages are DLL files loaded by the Local Security Authority (LSA) process (lsass.exe) during user authentication, allowing adversaries to achieve persistence and privilege escalation through the injection of malicious DLLs.

Deep Dive Into Technique

Authentication packages are DLL files registered in Windows under the following registry key:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

Technical details include:

• Attackers typically insert malicious DLL names into the above registry key, causing the DLL to load automatically during user authentication.

• Upon user logon, the Local Security Authority (LSA) process (lsass.exe) loads and executes all DLLs listed under the Authentication Packages registry key.

• Malicious authentication packages can intercept, monitor, or manipulate authentication credentials, potentially enabling credential theft, privilege escalation, or persistent backdoor access.

• The DLL must export specific functions (e.g., LsaApLogonUserEx, LsaApLogonUser, SpInitialize) to be considered a valid authentication package by the LSA.

• Adversaries may disguise the malicious DLL with legitimate-sounding names to evade detection.

• Elevated privileges (Administrator or SYSTEM) are typically required to modify the registry key and place the malicious DLL into the system directory (commonly %SYSTEMROOT%\System32\).

When this Technique is Usually Used

Attackers commonly employ Authentication Package (T1547.002) in the following scenarios and attack stages:

• Persistence: Establishing long-term, stealthy persistence by ensuring malicious code execution at every user logon.

• Privilege Escalation: Manipulating authentication processes to escalate privileges or maintain elevated access.

• Credential Theft: Capturing user credentials during authentication processes, enabling lateral movement and further exploitation.

• Advanced Persistent Threat (APT) Campaigns: Sophisticated adversaries frequently use this technique as part of targeted, stealthy, and persistent intrusion campaigns.

• Post-Exploitation Phase: Typically implemented after initial system compromise to maintain covert, long-term access.

How this Technique is Usually Detected

Detection of malicious authentication packages can be achieved through various methods, tools, and indicators of compromise:

• Registry Monitoring:

  • Monitor changes to the registry key:

    Copy

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

  • Use tools such as Sysmon, Windows Event Logs, or Endpoint Detection and Response (EDR) solutions to detect unauthorized modifications.

• File Integrity Monitoring (FIM):

  • Monitor DLL files placed in sensitive directories like %SYSTEMROOT%\System32\.

  • Identify newly created or modified DLL files, especially those loaded by lsass.exe.

• Process Monitoring:

  • Observe DLLs loaded into lsass.exe using tools such as Process Monitor, Process Hacker, or Sysinternals Suite.

  • Investigate suspicious or unknown DLLs loaded into the LSA process.

• Event Log Analysis:

  • Review Windows Security event logs for unusual authentication events or failed logon attempts.

  • Monitor Windows Application and System logs for errors or unusual behavior related to authentication processes.

• Endpoint Detection and Response (EDR) and SIEM Solutions:

  • Leverage advanced threat detection rules and behavioral analytics to identify anomalies associated with authentication package injection.

  • Implement alerts for registry changes and suspicious DLL loading.

Indicators of Compromise (IoCs):

• Unfamiliar DLL files in %SYSTEMROOT%\System32\ or other system directories.

• Unexpected modifications to registry keys related to authentication packages.

• Suspicious DLLs loaded by the lsass.exe process.

• Unusual logon events or authentication failures coinciding with DLL loading.

Why it is Important to Detect This Technique

Detecting Authentication Package (T1547.002) is critical due to its severe impacts on systems and networks, including:

• Persistent Access: Attackers establish long-term, stealthy persistence, making remediation challenging and enabling prolonged data exfiltration or espionage.

• Credential Theft and Privilege Escalation: Malicious authentication packages can intercept credentials, granting attackers elevated privileges and facilitating lateral movement across networks.

• Stealth and Evasion: This technique is highly covert, often bypassing traditional antivirus and endpoint protection solutions, making early detection crucial.

• Increased Risk of Data Breach: Persistent and privileged access significantly increases the risk of sensitive data exfiltration, intellectual property theft, and regulatory compliance violations.

• System Stability and Integrity: Malicious modifications to authentication processes can negatively impact system stability, reliability, and integrity, causing operational disruptions and downtime.

Early detection is essential to:

• Minimize the attacker’s dwell time and mitigate potential damage.

• Quickly contain and remediate incidents before widespread compromise occurs.

• Maintain organizational security posture, regulatory compliance, and trustworthiness.

Examples

Real-world examples of Authentication Package (T1547.002) usage include:

• APT41 (Winnti Group):

  • Attack Scenario: APT41 leveraged malicious authentication packages to maintain persistent and covert access within targeted organizations.

  • Tools Used: Custom-built DLL files injected into the authentication process, allowing credential harvesting and persistent access.

  • Impact: Long-term espionage, credential theft, lateral movement, and significant data exfiltration.

• FIN7 Threat Group:

  • Attack Scenario: FIN7 employed modified authentication packages to intercept user credentials and maintain persistent access within financial institutions.

  • Tools Used: Custom DLLs crafted to interface with the LSA process, capturing credentials during authentication.

  • Impact: Massive financial fraud, theft of payment card information, and extensive financial losses for targeted organizations.

• Carbanak Cybercrime Group:

  • Attack Scenario: Carbanak attackers utilized malicious authentication packages to persistently steal credentials from banking and financial institutions.

  • Tools Used: Malicious authentication DLLs loaded into lsass.exe, enabling stealthy credential interception and lateral movement.

  • Impact: Theft of millions of dollars from financial institutions worldwide, significant reputational and financial damage.

• Red Team and Penetration Testing Engagements:

  • Attack Scenario: Security professionals and ethical hackers commonly demonstrate this technique during penetration testing to highlight vulnerabilities in authentication processes.

  • Tools Used: Open-source or custom-developed DLLs designed to demonstrate persistence and credential interception.

  • Impact: Identification of security gaps, validation of security controls, and recommendations for improved detection and prevention.

These examples highlight the severe implications of Authentication Package (T1547.002), underscoring the importance of robust detection, monitoring, and prevention strategies.