Installation of Security Support Provider

About

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: PersistenceTactic: Defense EvasionData Source: Elastic EndgameData Source: Elastic DefendData Source: SysmonData Source: Microsoft Defender for EndpointData Source: SentinelOneData Source: CrowdstrikeLanguage: eql

Severity

medium

Risk Score

47

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Boot or Logon Autostart Execution (T1547)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Modify Registry (T1112)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-endpoint.events.registry-*logs-windows.sysmon_operational-*endgame-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*logs-crowdstrike.fdr*

Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

m365_defender(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

Query

registry where host.os.type == "windows" and event.type == "change" and
  registry.value : "Security Packages" and
  registry.path : (
      "*\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages",
      "*\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages"
  ) and
  not process.executable : (
        "C:\\Windows\\System32\\msiexec.exe",
        "C:\\Windows\\SysWOW64\\msiexec.exe",
        /* Crowdstrike specific exclusion as it uses NT Object paths */
        "\\Device\\HarddiskVolume*\\Windows\\System32\\msiexec.exe",
        "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\msiexec.exe"
  )