SSPs (Security Support Providers) are dynamic link libraries (DLLs) that are loaded by the Local Security Authority (LSA) process in Windows operating systems at system startup. SSPs provide security-related services to Windows and are used to implement various authentication protocols, such as NTLM and Kerberos, which are used to validate user credentials and secure network communications. SSPs also have access to encrypted and plaintext passwords stored in Windows, such as domain passwords or smart card PINs, making them a prime target for attackers looking to steal sensitive information.
To modify the SSP configuration, an adversary can manipulate the relevant Registry keys, namely HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
. By adding new SSPs to these keys, the attacker can ensure that their chosen DLL, such as mimilib.dll, is loaded during the next boot-up or when the AddSecurityPackage Windows API function is called.
Once loaded into the LSA process, the mimilib.dll file can perform a range of malicious activities. For example, it can capture user credentials, log keystrokes, and even perform remote code execution. This poses a significant risk to the security of the affected system, as well as any sensitive data stored on it.
Execute Is my host protected against SSP abuse?
in Operator on each host in your environment to test if you are vulnerable.
This chain will stage a mimilib.dll file and import it into Windows Security Support Provider, allowing it to run custom dll's on boot.
Defending against SSP injection attacks can be challenging, as attackers can manipulate the Windows Registry and modify the SSP configuration to load malicious DLLs during system startup. However, monitoring the relevant Registry keys HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
for suspicious activity could prove useful. You can use tools like Sysmon or PowerShell to monitor these keys and receive alerts when changes are made.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.preludesecurity.com/products/operator
Try out Prelude Build: https://platform.preludesecurity.com/build
Try out Prelude Detect: https://www.preludesecurity.com/products/detect
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://www.preludesecurity.com/blog
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1