title: Security Support Provider (T1547.005)
id: df00tech-t1547-005
status: experimental
description: "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords stored in Windows, including logged-on user Domain passwords and smart card PINs. The SSP configuration is stored in HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these registry keys to add new SSPs, which will be loaded at next boot or via the AddSecurityPackage API. Mimikatz, Empire, and PowerSploit all include SSP persistence capabilities."
references:
  - https://attack.mitre.org/techniques/T1547/005/
  - https://df00tech.com/detections/T1547.005
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Installation of third-party SSP/credential providers (smart card middleware, biometric authentication packages)"
  - Windows OS upgrades that modify the Security Packages list
  - Microsoft cloud authentication updates adding or modifying cloudAP
level: critical