Boot or Logon Autostart Execution: Security Support Provider

Description

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanSMBLSA Protection StatusPlugin ID: 159929

References

Windows LSA Protection Status

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Persistence, Privilege Escalation

Sub-Technique: Authentication Package

Platform: Windows

Products Required: Tenable.io

Tenable Release Date: 2022 Q2