Is my host protected against SSP abuse?

This chain will stage a mimilib.dll file and import it into Windows Security Support Provider, allowing it to run custom dll's on boot.

Is my host protected against SSP abuse?

SSPs (Security Support Providers) are dynamic link libraries (DLLs) that are loaded by the Local Security Authority (LSA) process in Windows operating systems at system startup. SSPs provide security-related services to Windows and are used to implement various authentication protocols, such as NTLM and Kerberos, which are used to validate user credentials and secure network communications. SSPs also have access to encrypted and plaintext passwords stored in Windows, such as domain passwords or smart card PINs, making them a prime target for attackers looking to steal sensitive information.

To modify the SSP configuration, an adversary can manipulate the relevant Registry keys, namely HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. By adding new SSPs to these keys, the attacker can ensure that their chosen DLL, such as mimilib.dll, is loaded during the next boot-up or when the AddSecurityPackage Windows API function is called.

Once loaded into the LSA process, the mimilib.dll file can perform a range of malicious activities. For example, it can capture user credentials, log keystrokes, and even perform remote code execution. This poses a significant risk to the security of the affected system, as well as any sensitive data stored on it.


Execute Is my host protected against SSP abuse? in Operator on each host in your environment to test if you are vulnerable.

This chain will stage a mimilib.dll file and import it into Windows Security Support Provider, allowing it to run custom dll's on boot.


Defending against SSP injection attacks can be challenging, as attackers can manipulate the Windows Registry and modify the SSP configuration to load malicious DLLs during system startup. However, monitoring the relevant Registry keys HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages for suspicious activity could prove useful. You can use tools like Sysmon or PowerShell to monitor these keys and receive alerts when changes are made.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:
Try out Prelude Build:
Try out Prelude Detect:
See the latest kill chain and TTP Releases:
See our open-source repositories:

Join our community


Read, watch, and listen

Listen to our Podcast:
Read our blog:
Watch our live streams:
Watch our pre-recorded content:

Follow our team


Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Stage mimilib.dll
add mimilib to reg
Reboot the machine