Home/ATT&CK Technique/Authentication Package
ATT&CK Technique

Authentication Package

T1547.002 · persistence, privilege-escalation

Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.

Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication Packages"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.

Windows

Atomic Tests

1
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellelevatedwindowsAuthentication Package
Establishes persistence using a custom authentication package for the Local Security Authority (LSA). After a reboot, Notepad.exe will be executed as child process of lsass.exe. Payload source code: https://github.com/tr4cefl0w/payloads/tree/master/T1547.002/package [Related blog](https://pentestlab.blog/2019/10/21/persistence-security-support-provider/) 
Copy-Item "$PathToAtomicsFolder\T1547.002\bin\package.dll" C:\Windows\System32\
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v "Authentication Packages" /t REG_MULTI_SZ /d "msv1_0\0package.dll" /f

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1025Privileged Process Integrity

Privileged Process Integrity focuses on defending highly privileged processes (e.g., system services, antivirus, or authentication processes) from tampering, injection, or compromise by adversaries. These processes often interact with critical components, making them prime targets for techniques like code injection, privilege escalation, and process manipulation.

Protected Process Mechanisms
  • Enable RunAsPPL on Windows systems to protect LSASS and other critical processes.
  • Use registry modifications to enforce protected process settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL Anti-Injection and Memory Protection:.
  • Enable Control Flow Guard (CFG), DEP, and ASLR to protect against process memory tampering.
  • Deploy endpoint protection tools that actively block process injection attempts.
Code Signing Validation
  • Implement policies for Windows Defender Application Control (WDAC) or AppLocker to enforce execution of signed binaries.
  • Ensure critical processes are signed with valid certificates.
Access Controls
  • Use DACLs and MIC to limit which users and processes can interact with privileged processes.
  • Disable unnecessary debugging capabilities for high-privileged processes.
Kernel-Level Protections
  • Ensure Kernel Patch Protection (PatchGuard) is enabled on Windows systems.
  • Leverage SELinux or AppArmor on Linux to enforce kernel-level security policies.
Tools for Implementation Protected Process Light (PPL)
  • RunAsPPL (Windows)
Windows Defender Credential Guard Code Integrity and Signing
  • Windows Defender Application Control (WDAC)
  • AppLocker.
SELinux/AppArmor (Linux) Memory Protection
  • Control Flow Guard (CFG), Data Execution Prevention (DEP), ASLR Process Isolation/Sandboxing:.
  • Firejail (Linux Sandbox)
  • Windows Sandbox.
QEMU/KVM-based isolation Kernel Protection
  • PatchGuard (Windows Kernel Patch Protection)
  • SELinux (Mandatory Access Control for Linux)
  • AppArmor.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 1
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53CM-06, SC-39, SI-03, SI-04, SI-07
D3FEND3 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin