Detections
Analytics
Boot or Logon Autostart Execution: Authentication Package
Description
Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | LSA Protection Status | Plugin ID: 159929 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Persistence, Privilege Escalation
Technique: Boot or Logon Autostart Execution
Sub-Technique: Authentication Package
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2022 Q2