Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: test
description: |
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
author: iwillkeepwatch
date: 2019-01-18
modified: 2026-03-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith:
- '\Control\Lsa\Security Packages'
- '\Control\Lsa\OSConfig\Security Packages'
filter_main_msiexec:
Image:
- 'C:\Windows\system32\msiexec.exe'
- 'C:\Windows\syswow64\MsiExec.exe'
filter_main_image_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey endswith "\\Control\\Lsa\\Security Packages" or RegistryKey endswith "\\Control\\Lsa\\OSConfig\\Security Packages") and (not(((ActingProcessName in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe")) or isnull(ActingProcessName))))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |