Authentication Package

MITRE ATT&CK™ Boot or Logon Autostart Execution: Authentication Package - Technique T1547.002

Theory

We may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.

Practice

We won't be able to make it work If LSA protection (RunAsPPL) is enabled as LSASS.exe will run as a Protected Process Light (PPL).

Authentication packages can be seen under following registry, and the referenced DLLs are then executed by the system when the authentication packages are loaded.

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

First, you will have to copy the malicious package.dll in System32

copy "$PathToDll\package.dll" C:\Windows\System32\

Then, edit LSA registry keys to include the new authentication package

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "Authentication Packages" /t REG_MULTI_SZ /d "msv1_0\0package.dll" /f

Resources

Boot or Logon Autostart Execution: Authentication Package, Sub-technique T1547.002 - Enterprise | MITRE ATT&CK®

Last updated 8 months ago