Secondary Categories: 02-Persistence

Malicious security support providers can help provide a means of persisting a network, or permissions as it is similar to a security package. A user-mode security extension used to perform authentication during a client/server exchange.

An authenticated package (AP) is used to extend interactive login authentication. An example of this is RSA token based authentication.

SSPs and APs are loaded into lsass at boot.

You can install your own SSP and it will be loaded into lsass.exe

In order to develop you own SSP DLL that can be loaded into lsass the only exported function you need is SpLsaModeInitialize and can be used to capture usernames and passwords

The DLL can be installed using Powersploit’s persistence module


Resources:

Also Check Out:

  • PLACEHOLDER