TECHNIQUES

Active Scanning

Scanning IP Blocks

Vulnerability Scanning

Gather Victim Host Information

Client Configurations

Gather Victim Identity Information

Email Addresses

Gather Victim Network Information

Domain Properties

Network Trust Dependencies

Network Topology

Network Security Appliances

Gather Victim Org Information

Business Relationships

Determine Physical Locations

Identify Business Tempo

Phishing for Information

Spearphishing Service

Spearphishing Attachment

Spearphishing Link

Search Closed Sources

Threat Intel Vendors

Purchase Technical Data

Search Open Technical Databases

DNS/Passive DNS

Digital Certificates

Search Open Websites/Domains

Search Victim-Owned Websites

Resource Development

Acquire Infrastructure

Virtual Private Server

Compromise Accounts

Social Media Accounts

Compromise Infrastructure

Virtual Private Server

Develop Capabilities

Code Signing Certificates

Digital Certificates

Establish Accounts

Social Media Accounts

Obtain Capabilities

Code Signing Certificates

Digital Certificates

Vulnerabilities

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Replication Through Removable Media

Supply Chain Compromise

Compromise Software Dependencies and Development Tools

Compromise Software Supply Chain

Compromise Hardware Supply Chain

Trusted Relationship

Default Accounts

Domain Accounts

Command and Scripting Interpreter

Windows Command Shell

JavaScript/JScript

Network Device CLI

Exploitation for Client Execution

Inter-Process Communication

Component Object Model

Dynamic Data Exchange

Scheduled Task/Job

Software Deployment Tools

System Services

Service Execution

Windows Management Instrumentation

Account Manipulation

Exchange Email Delegate Permissions

Add Office 365 Global Administrator Role

SSH Authorized Keys

Additional Cloud Credentials

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Plist Modification

Print Processors

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Browser Extensions

Compromise Client Software Binary

Create or Modify System Process

Systemd Service

Windows Service

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

.bash_profile and .bashrc

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

External Remote Services

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Implant Container Image

Office Application Startup

Office Template Macros

Outlook Home Page

System Firmware

Component Firmware

Scheduled Task/Job

Server Software Component

SQL Stored Procedures

Transport Agent

Traffic Signaling

Default Accounts

Domain Accounts

Privilege Escalation

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Account Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Authentication Package

Winlogon Helper DLL

Security Support Provider

Kernel Modules and Extensions

Re-opened Applications

Shortcut Modification

Plist Modification

Print Processors

Boot or Logon Initialization Scripts

Logon Script (Windows)

Logon Script (Mac)

Network Logon Script

Create or Modify System Process

Systemd Service

Windows Service

Domain Policy Modification

Group Policy Modification

Domain Trust Modification

Event Triggered Execution

Change Default File Association

Windows Management Instrumentation Event Subscription

.bash_profile and .bashrc

LC_LOAD_DYLIB Addition

Netsh Helper DLL

Accessibility Features

Application Shimming

Image File Execution Options Injection

PowerShell Profile

Component Object Model Hijacking

Exploitation for Privilege Escalation

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Doppelgänging

Process Hollowing

Scheduled Task/Job

Default Accounts

Domain Accounts

Defense Evasion

Abuse Elevation Control Mechanism

Setuid and Setgid

Bypass User Account Control

Sudo and Sudo Caching

Elevated Execution with Prompt

Access Token Manipulation

Token Impersonation/Theft

Create Process with Token

Make and Impersonate Token

Parent PID Spoofing

SID-History Injection

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain Policy Modification

Group Policy Modification

Domain Trust Modification

Execution Guardrails

Environmental Keying

Exploitation for Defense Evasion

File and Directory Permissions Modification

Windows File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Hidden Files and Directories

NTFS File Attributes

Hidden File System

Run Virtual Instance

Hijack Execution Flow

Services File Permissions Weakness

Executable Installer File Permissions Weakness

Services Registry Permissions Weakness

Path Interception by Unquoted Path

Path Interception by PATH Environment Variable

Path Interception by Search Order Hijacking

DLL Search Order Hijacking

DLL Side-Loading

Dylib Hijacking

Impair Defenses

Disable or Modify Tools

Disable Windows Event Logging

Impair Command History Logging

Disable or Modify System Firewall

Indicator Blocking

Disable or Modify Cloud Firewall

Disable Cloud Logs

Indicator Removal on Host

Clear Windows Event Logs

Clear Linux or Mac System Logs

Clear Command History

Network Share Connection Removal

Indirect Command Execution

Invalid Code Signature

Right-to-Left Override

Rename System Utilities

Masquerade Task or Service

Match Legitimate Name or Location

Space after Filename

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Modify Cloud Compute Infrastructure

Create Snapshot

Create Cloud Instance

Delete Cloud Instance

Revert Cloud Instance

Modify Registry

Modify System Image

Patch System Image

Downgrade System Image

Network Boundary Bridging

Network Address Translation Traversal

Obfuscated Files or Information

Software Packing

Compile After Delivery

Indicator Removal from Tools

System Firmware

Component Firmware

Process Injection

Dynamic-link Library Injection

Portable Executable Injection

Thread Execution Hijacking

Asynchronous Procedure Call

Thread Local Storage

Ptrace System Calls

Extra Window Memory Injection

Process Doppelgänging

Process Hollowing

Rogue Domain Controller

Signed Binary Proxy Execution

Compiled HTML File

Signed Script Proxy Execution

Subvert Trust Controls

Gatekeeper Bypass

SIP and Trust Provider Hijacking

Install Root Certificate

Template Injection

Traffic Signaling

Trusted Developer Utilities Proxy Execution

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Pass the Ticket

Application Access Token

Web Session Cookie

Default Accounts

Domain Accounts

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

Weaken Encryption

Reduce Key Space

Disable Crypto Hardware

XSL Script Processing

Credential Access

Password Guessing

Password Cracking

Password Spraying

Credential Stuffing

Credentials from Password Stores

Securityd Memory

Credentials from Web Browsers

Exploitation for Credential Access

Forced Authentication

Forge Web Credentials

GUI Input Capture

Web Portal Capture

Credential API Hooking

Man-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

ARP Cache Poisoning

Modify Authentication Process

Domain Controller Authentication

Password Filter DLL

Pluggable Authentication Modules

Network Device Authentication

Network Sniffing

OS Credential Dumping

Security Account Manager

Proc Filesystem

/etc/passwd and /etc/shadow

Cached Domain Credentials

Steal Application Access Token

Steal or Forge Kerberos Tickets

AS-REP Roasting

Steal Web Session Cookie

Two-Factor Authentication Interception

Unsecured Credentials

Credentials In Files

Credentials in Registry

Cloud Instance Metadata API

Group Policy Preferences

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Remote System Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

User Activity Based Checks

Time Based Evasion

Lateral Movement

Exploitation of Remote Services

Internal Spearphishing

Lateral Tool Transfer

Remote Service Session Hijacking

Remote Services

Remote Desktop Protocol

SMB/Windows Admin Shares

Distributed Component Object Model

Windows Remote Management

Replication Through Removable Media

Software Deployment Tools

Taint Shared Content

Use Alternate Authentication Material

Pass the Ticket

Application Access Token

Web Session Cookie

Archive Collected Data

Archive via Utility

Archive via Library

Archive via Custom Method

Automated Collection

Data from Cloud Storage Object

Data from Configuration Repository

SNMP (MIB Dump)

Network Device Configuration Dump

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Local Data Staging

Remote Data Staging

Email Collection

Local Email Collection

Remote Email Collection

Email Forwarding Rule

GUI Input Capture

Web Portal Capture

Credential API Hooking

Man in the Browser

Man-in-the-Middle

LLMNR/NBT-NS Poisoning and SMB Relay

ARP Cache Poisoning

Command and Control

Application Layer Protocol

File Transfer Protocols

Communication Through Removable Media

Standard Encoding

Non-Standard Encoding

Data Obfuscation

Protocol Impersonation

Dynamic Resolution

Domain Generation Algorithms

DNS Calculation

Encrypted Channel

Symmetric Cryptography

Asymmetric Cryptography

Fallback Channels

Ingress Tool Transfer

Multi-Stage Channels

Non-Application Layer Protocol

Non-Standard Port

Protocol Tunneling

Multi-hop Proxy

Domain Fronting

Remote Access Software

Traffic Signaling

Dead Drop Resolver

Bidirectional Communication

One-Way Communication

Automated Exfiltration

Traffic Duplication

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Other Network Medium

Exfiltration Over Bluetooth

Exfiltration Over Physical Medium

Exfiltration over USB

Exfiltration Over Web Service

Exfiltration to Code Repository

Exfiltration to Cloud Storage

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

Data Manipulation

Stored Data Manipulation

Transmitted Data Manipulation

Runtime Data Manipulation

Internal Defacement

External Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

OS Exhaustion Flood

Service Exhaustion Flood

Application Exhaustion Flood

Application or System Exploitation

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Direct Network Flood

Reflection Amplification

Resource Hijacking

System Shutdown/Reboot

Deliver Malicious App via Authorized App Store

Deliver Malicious App via Other Means

Drive-by Compromise

Exploit via Charging Station or PC

Exploit via Radio Interfaces

Install Insecure or Malicious Configuration

Lockscreen Bypass

Masquerade as Legitimate Application

Supply Chain Compromise

Broadcast Receivers

Abuse Device Administrator Access to Prevent Removal

Broadcast Receivers

Compromise Application Executable

Foreground Persistence

Modify Cached Executable Code

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Privilege Escalation

Exploit OS Vulnerability

Exploit TEE Vulnerability

Defense Evasion

Application Discovery

Delete Device Data

Disguise Root/Jailbreak Indicators

Download New Code at Runtime

Evade Analysis Environment

Input Injection

Install Insecure or Malicious Configuration

Masquerade as Legitimate Application

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Obfuscated Files or Information

Suppress Application Icon

Uninstall Malicious Application

Credential Access

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Capture Clipboard Data

Capture SMS Messages

Exploit TEE Vulnerability

Network Traffic Capture or Redirection

Application Discovery

Evade Analysis Environment

File and Directory Discovery

Location Tracking

Network Service Scanning

Process Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Attack PC via USB Connection

Exploit Enterprise Resources

Access Calendar Entries

Access Call Log

Access Contact List

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Capture Clipboard Data

Capture SMS Messages

Data from Local System

Foreground Persistence

Location Tracking

Network Information Discovery

Network Traffic Capture or Redirection

Command and Control

Alternate Network Mediums

Commonly Used Port

Domain Generation Algorithms

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Uncommonly Used Port

Alternate Network Mediums

Commonly Used Port

Standard Application Layer Protocol

Carrier Billing Fraud

Clipboard Modification

Data Encrypted for Impact

Delete Device Data

Generate Fraudulent Advertising Revenue

Input Injection

Manipulate App Store Rankings or Ratings

Modify System Partition

Network Effects

Downgrade to Insecure Protocols

Eavesdrop on Insecure Network Communication

Exploit SS7 to Redirect Phone Calls/SMS

Exploit SS7 to Track Device Location

Jamming or Denial of Service

Manipulate Device Communication

Rogue Cellular Base Station

Rogue Wi-Fi Access Points

Remote Service Effects

Obtain Device Cloud Backups

Remotely Track Device Without Authorization

Remotely Wipe Data Without Authorization

Boot or Logon Autostart Execution: Security Support Provider

Other sub-techniques of Boot or Logon Autostart Execution (12)

ID	Name
T1547.001	Registry Run Keys / Startup Folder
T1547.002	Authentication Package
T1547.003	Time Providers
T1547.004	Winlogon Helper DLL
T1547.005	Security Support Provider
T1547.006	Kernel Modules and Extensions
T1547.007	Re-opened Applications
T1547.008	LSASS Driver
T1547.009	Shortcut Modification
T1547.010	Port Monitors
T1547.011	Plist Modification
T1547.012	Print Processors

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.^[1]

ID: T1547.005

Sub-technique of: T1547

Tactics: Persistence, Privilege Escalation

Platforms: Windows

Permissions Required: Administrator

Data Sources: DLL monitoring, Loaded DLLs, Windows Registry

Version: 1.0

Created: 24 January 2020

Last Modified: 25 March 2020

Version Permalink

Live Version

Procedure Examples

Name	Description
Empire	Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit's `Install-SSP` and `Invoke-Mimikatz` to install malicious SSPs and log authentication events.^[2]
Lazarus Group	Lazarus Group has rebooted victim machines to establish persistence by installing a SSP DLL.^[3]
Mimikatz	The Mimikatz credential dumper contains an implementation of an SSP.^[4]
PowerSploit	PowerSploit's `Install-SSP` Persistence module can be used to establish by installing a SSP DLL.^[5]^[6]

Mitigations

Mitigation	Description
Privileged Process Integrity	Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`, which requires all SSP DLLs to be signed by Microsoft. ^[1] ^[7]

Detection

Monitor the Registry for changes to the SSP Registry keys. Monitor the LSA process for DLL loads. Windows 8.1 and Windows Server 2012 R2 may generate events when unsigned SSP DLLs try to load into the LSA by setting the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe with AuditLevel = 8. ^[1] ^[7]

References