Home/ATT&CK Technique/Security Support Provider
ATT&CK Technique

Security Support Provider

T1547.005 · persistence, privilege-escalation

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.

The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.

Windows

Actors Using This

3
palestinian_territoriesMolerats / Gaza Cybergang
suspected_state_aligned_unattributedProject Sauron / Strider
us_israel_joint_offensive_cyberStuxnet

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1583.004 · Server ×2.48T1608 · Stage Capabilities ×2.02
execution earlier
T1574.001 · DLL ×1.84T1574.002 · DLL Side-Loading ×1.62T1129 · Shared Modules ×1.55
privilege-escalation later
T1548 · Abuse Elevation Control Mechanism ×2.11
credential-access later
T1552 · Unsecured Credentials ×1.65
discovery later
T1010 · Application Window Discovery ×1.98T1497 · Virtualization/Sandbox Evasion ×1.71
lateral-movement later
T1021 · Remote Services ×1.56
collection later
T1213 · Data from Information Repositories ×1.70
command-and-control later
T1568.002 · Domain Generation Algorithms ×2.09
impact later
T1657 · Financial Theft ×1.70
other same
T1620 · Reflective Code Loading ×2.98T1027.005 · Indicator Removal from Tools ×1.92

Atomic Tests

2
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellelevatedwindowsModify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry
Add a value to a Windows registry Security Support Provider pointing to a payload .dll which will normally need to be copied in the system32 folder. A common DLL used with this techquite is the minilib.dll from mimikatz, see https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ 
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $newvalue
powershellelevatedwindowsModify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry
Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys.
$oldvalue = $(Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages');
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig" -Name 'Security Packages old' -Value "$oldvalue";
$newvalue = "AtomicTest.dll";
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig -Name 'Security Packages' -Value $newvalue

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1025Privileged Process Integrity

Privileged Process Integrity focuses on defending highly privileged processes (e.g., system services, antivirus, or authentication processes) from tampering, injection, or compromise by adversaries. These processes often interact with critical components, making them prime targets for techniques like code injection, privilege escalation, and process manipulation.

Protected Process Mechanisms
  • Enable RunAsPPL on Windows systems to protect LSASS and other critical processes.
  • Use registry modifications to enforce protected process settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL Anti-Injection and Memory Protection:.
  • Enable Control Flow Guard (CFG), DEP, and ASLR to protect against process memory tampering.
  • Deploy endpoint protection tools that actively block process injection attempts.
Code Signing Validation
  • Implement policies for Windows Defender Application Control (WDAC) or AppLocker to enforce execution of signed binaries.
  • Ensure critical processes are signed with valid certificates.
Access Controls
  • Use DACLs and MIC to limit which users and processes can interact with privileged processes.
  • Disable unnecessary debugging capabilities for high-privileged processes.
Kernel-Level Protections
  • Ensure Kernel Patch Protection (PatchGuard) is enabled on Windows systems.
  • Leverage SELinux or AppArmor on Linux to enforce kernel-level security policies.
Tools for Implementation Protected Process Light (PPL)
  • RunAsPPL (Windows)
Windows Defender Credential Guard Code Integrity and Signing
  • Windows Defender Application Control (WDAC)
  • AppLocker.
SELinux/AppArmor (Linux) Memory Protection
  • Control Flow Guard (CFG), Data Execution Prevention (DEP), ASLR Process Isolation/Sandboxing:.
  • Firejail (Linux Sandbox)
  • Windows Sandbox.
QEMU/KVM-based isolation Kernel Protection
  • PatchGuard (Windows Kernel Patch Protection)
  • SELinux (Mandatory Access Control for Linux)
  • AppArmor.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 1
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53CM-06, SC-39, SI-03, SI-04, SI-07
D3FEND3 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin