Malicious modules and the LSA process

Detection of tactics involving malicious DLL registration and other Kaspersky SIEM improvements in Q4 2024.

Kaspersky SIEM improvements in Q4 2024

In attacks on infrastructure of various companies, cybercriminals are increasingly resorting to manipulating modules that interact with the Local Security Authority (LSA) process. This enables them to steal user credentials, establish persistence in the system, elevate privileges, or extend the attack to other systems within the target company. Therefore, for the latest quarterly update of our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, we’ve added rules designed to detect such attempts. In terms of the MITRE ATT&CK classification, the new rules can detect techniques T1547.002, T1547.005 and T1556.002.

What are techniques T1547.002, T1547.005 and T1556.002?

Both variants of technique T1547 mentioned above involve using the LSA process to load malicious modules. Sub-technique 002 describes adding malicious dynamic-link libraries (DLLs) with Windows authentication packages, while sub-technique 005 involves DLLs with security support provider (SSP) packages. Loading these modules allows attackers to access the LSA process memory, which can contain critical data such as user credentials.

Technique T1556.002 describes a scenario where an attacker registers a malicious password filter DLL in the system. These filters are essentially mechanisms for enforcing password policies. When a legitimate user changes a password or sets a new one, the LSA process compares it against all registered filters, and is forced to handle the passwords in plain text form, i.e., unencrypted. If an attacker manages to introduce a malicious password filter into the system, they can collect passwords with every request.

All three techniques involve placing malicious libraries in the C:Windowssystem32 directory and registering them in the system registry under the following keys of the SYSTEMCurrentControlSetControlLSA branch: Authentication Packages for T1547.002, Security Packages for T1547.005, and Notification Packages for T1556.002.

How our SIEM counters techniques T1547.002, T1547.005 and T1556.002

To counter these techniques, the Kaspersky Unified Monitoring and Analysis Platform will be updated with rules R154_02–R154_10, which detect, among other things, the following events:

  • Loading of suspicious authentication packages, password filter packages, and security support provider modules using events 4610, 4614 and 4622, respectively.
  • Commands executed in cmd.exe and powershell.exe and aimed at modifying the LSA registry branch and the Authentication Packages, Notification Packages and Security Packages keys.
  • Changes (detected through registry modification event 4657) of the LSA registry branch that could enable a malicious file.

Other improvements in the Kaspersky Unified Monitoring and Analysis Platform update

In this update, we’re also introducing rule R999_99, which detects changes in Active Directory accounts’ critical attributes, such as scriptPath and msTSInitialProgram, which enable various actions to be performed upon login.

These attributes set some scripts to execute every time a user logs into the system. This makes them an attractive target for attackers aiming to establish persistence in the network. Tampering with these attributes may indicate unauthorized attempts to gain a foothold in the system or escalate privileges — technique T1037.003 under the MITRE ATT&CK classification.

The strategy for detecting these manipulations is to monitor Windows event logs — particularly event 5136. This event records any changes made to objects in Active Directory, including attribute modifications.

After the latest update, our SIEM platform will provide over 700 rules. Thus, by the end of 2024, our solution will cover 400 MITRE ATT&CK techniques. Of course, we’re not aiming to create rules to detect every technique described in the matrix. A significant portion of them cannot be fully addressed due to their nature — for example, ones involving actions performed outside the protected perimeter or the techniques not fully covered by SIEM solutions by definition. However, in the fourth quarter of this year, we’ve focused on further expanding the coverage of MITRE ATT&CK techniques while enhancing the detection logic for already covered techniques.

New and improved normalizers

In the latest update, we’ve also added normalizers to our SIEM system that support the following event sources:

  • [OOTB] McAfee Endpoint DLP syslog
  • [OOTB] LastLine Enterprise syslog cef
  • [OOTB] MongoDb syslog
  • [OOTB] GajShield Firewall syslog
  • [OOTB] Eltex ESR syslog
  • [OOTB] Linux auditd syslog for KUMA 3.2
  • [OOTB] Barracuda Cloud Email Security Gateway syslog
  • [OOTB] Yandex Cloud
  • [OOTB] InfoWatch Person Monitor SQL
  • [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog

In addition, our experts have improved the following normalizers:

  • [OOTB] Microsoft Products via KES WIN
  • [OOTB] Microsoft Products for KUMA 3
  • [OOTB] KSC from SQL
  • [OOTB] Ideco UTM syslog
  • [OOTB] KEDR telemetry
  • [OOTB] Vipnet TIAS syslog
  • [OOTB] PostgreSQL pgAudit syslog
  • [OOTB] KSC PostgreSQL
  • [OOTB] Linux auditd syslog for KUMA 3.2

The full list of supported event sources in Kaspersky Unified Monitoring and Analysis Platform 3.4 can be found in the Online Help, where you can also find information on correlation rules. In our blog you can also read about the updates for our SIEM platform for the first, second and third quarters of 2024.

To learn more about our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, please visit the official product page.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.

Sign up to receive our headlines in your inbox
  • For all other countries