Security support provider (SSP) is a Windows API which is used to extend the Windows authentication mechanism. The LSASS process is loading the security support provider DLL’s during Windows startup. This behavior allows a red team operator to either drop an arbitrary SSP DLL in order to interact with the LSASS process and log all passwords stored in this process or to directly patch the process with a malicious SSP without touching the disk.
This technique can be used to collect credentials in a system or in a number of systems and use these credentials in conjunction with another protocol such as RDP, WMI etc. to create persistence in the network by staying off the radar. Injection of a malicious security support provider to a host requires administrator level privileges and there are two methods which can be used:
- Registering SSP DLL
Mimikatz, Empire and PowerSploit support both methods and can be utilized during a red team operation.
The project Mimikatz provides a DLL file (mimilib.dll) which can be dropped into the same location as the LSASS process (System32) in order to obtain credentials in plain-text for any user that is accessing the compromised host.
Following the transferring of the file to the above location a registry key needs to be modified to include the new security support provider mimilib.
reg add "hklmsystemcurrentcontrolsetcontrollsa" /v "Security Packages" /d "kerberos