Boot or Logon Autostart Execution: Authentication Package


Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBLSA Protection StatusPlugin ID: 159929


Windows LSA Protection Status

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Persistence, Privilege Escalation

Sub-Technique: Authentication Package

Platform: Windows

Tenable Release Date: 2022 Q2