Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Boot or Logon Autostart Execution: Security Support Provider (T1547.005) |
Severity |
Low |
Description
Security Support Provider (SSP) exposes a number of callbacks to be invoked during certain authentication and authorization events.
An attacker may register SSP to try and gain access to clear text passwords.
Attacker's Goals
Gain clear text passwords and persistency in the network.
Investigative actions
Audit the specific key values to verify that the additional values are trusted.