T1131 Authentication Package - CraigDonkin/Infrastructure GitHub Wiki
T1131: Authentication Package
- Authentication package DLLs are loaded by LSA process at system start
- Use the autostart mechanism provided by LSA authentication package for persistence
- Place a reference to the binary in
- HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- Key value of "Authentication Packages="
- Copy dll to the C:\windows\System32
- Update Security packages registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages\ with the name of the dll
- DLL will execute when the user logs in
⚠️ **GitHub.com Fallback** ⚠️