T1547.005 Splunk · SPL

Detect Security Support Provider in Splunk

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords stored in Windows, including logged-on user Domain passwords and smart card PINs. The SSP configuration is stored in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these registry keys to add new SSPs, which will be loaded at next boot or via the AddSecurityPackage API. Mimikatz, Empire, and PowerSploit all include SSP persistence capabilities.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.005 Security Support Provider
Canonical reference
https://attack.mitre.org/techniques/T1547/005/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  (TargetObject="*\\Control\\Lsa\\Security Packages" OR TargetObject="*\\Control\\Lsa\\OSConfig\\Security Packages")
| table _time, host, TargetObject, Details, Image, User
| sort - _time
critical severity high confidence

Detects modifications to LSA Security Packages registry values using Sysmon Event ID 13. Any modification to these values warrants investigation as it can result in a malicious SSP DLL being loaded into lsass.exe with full access to all credentials in memory.

Data Sources

Windows Registry: Windows Registry Key ModificationSysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Third-party SSP/credential provider installation
  • Windows OS upgrades modifying Security Packages
  • Microsoft cloud authentication updates (cloudAP)
Download portable Sigma rule (.yml)

Other platforms for T1547.005

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Malicious SSP via Registry

    Expected signal: Sysmon Event ID 13: RegistryValueSet on Control\Lsa\Security Packages with the added 'df00tech-test'. PowerShell ScriptBlock Log Event ID 4104.

  2. Test 2Enumerate Current Security Packages

    Expected signal: Sysmon Event ID 1: Process creation for reg.exe querying the Lsa key.

  3. Test 3Mimikatz-style SSP Installation Simulation

    Expected signal: Sysmon Event ID 13: RegistryValueSet showing mimilib added to the Security Packages list. MDE DeviceRegistryEvents captures the full multi-string value.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1547.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.006Kernel Modules and ExtensionsT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1547.002Authentication PackageT1547.008LSASS DriverT1003.001LSASS MemoryT1556Modify Authentication ProcessT1003OS Credential Dumping

Same Tactic: Persistence

Popular Detections