Common Information
| Type | Value |
|---|---|
| Value |
Security Support Provider - T1547.005 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-13 | 1 | Microsoft Office flaw could leak NTLM hashes | ||
| Details | Website | 2023-10-23 | 273 | Red Team Tools | ||
| Details | Website | 2023-08-17 | 10 | #NoFilter - Abusing Windows Filtering Platform for Privilege Escalation | Deep Instinct | ||
| Details | Website | 2023-07-03 | 3 | POV : un pentester au SSTIC 2023 - Partie 2 | ||
| Details | Website | 2023-05-13 | 0 | THE NTLM AND NTLMV2 AUTHENTICATION PROTOCOL | ||
| Details | Website | 2023-05-10 | 26 | Rewterz Threat Advisory – Multiple Microsoft Windows Vulnerabilities | ||
| Details | Website | 2023-05-09 | 48 | May’s Patch Tuesday haul touches a six-pack of product families | ||
| Details | Website | 2023-05-09 | 51 | Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws | ||
| Details | Website | 2023-05-08 | 51 | Zero Day Initiative — The May 2023 Security Update Review | ||
| Details | Website | 2023-05-03 | 9 | ETWHash - "He who listens, shall receive" - LRQA Nettitude Labs | ||
| Details | Website | 2023-04-03 | 26 | ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access | Mandiant | ||
| Details | Website | 2023-03-17 | 17 | SafeBreach Coverage for US-CERT Alert (AA23-075A) – #StopRansomware: LockBit 3.0 | ||
| Details | Website | 2023-01-24 | 16 | Anomali Cyber Watch: Roaming Mantis Changes DNS on Wi-Fi Routers, Hook Android Banking Trojan Has Device Take-Over Capabilities, Ke3chang Targeted Iran with Updated Turian Backdoor | ||
| Details | Website | 2023-01-18 | 35 | Chinese Playful Taurus Activity in Iran | ||
| Details | Website | 2022-12-26 | 10 | Pass-the-Challenge: Defeating Windows Defender Credential Guard | ||
| Details | Website | 2022-11-09 | 14 | Hack the Real Box: APT41’s New Subgroup Earth Longzhi | ||
| Details | Website | 2022-11-01 | 8 | APT trends report Q3 2022 | ||
| Details | Website | 2022-10-26 | 29 | Autodial(DLL)ing Your Way - MDSec | ||
| Details | Website | 2022-10-17 | 853 | Vulnerability Summary for the Week of October 10, 2022 | CISA | ||
| Details | Website | 2022-10-12 | 73 | WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware | ||
| Details | Website | 2022-10-11 | 97 | Zero Day Initiative — The October 2022 Security Update Review | ||
| Details | Website | 2022-10-07 | 5 | Ten most mysterious APT campaigns that remain unattributed | ||
| Details | Website | 2022-03-08 | 94 | InfoSec Handlers Diary Blog - SANS Internet Storm Center | ||
| Details | Website | 2022-01-17 | 4 | Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To Guide - GoSecure | ||
| Details | Website | 2021-11-09 | 57 | InfoSec Handlers Diary Blog - SANS Internet Storm Center |