Home
  •  

Security Monitoring: Check Authentication Packages Registry Key

Security.Monitoring.Monitors.AuthenticationPackages (UnitMonitor)

Description for the new unit monitor.

Element properties:

TargetMicrosoft.Windows.Server.OperatingSystem
Parent MonitorSystem.Health.SecurityState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMultiStringRegMonitorType
RemotableTrue
AccessibilityInternal
Alert Message
Security Monitoring: Check Authentication Packages Registry Key
In order to establish persistence, and attacker can modify the OS Authentication Package binaries to use their own malware. See https://attack.mitre.org/wiki/Technique/T1131 for details. The key in question is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages. The value of this key should only be msv1_0
RunAsDefault

Source Code:

<UnitMonitor ID="Security.Monitoring.Monitors.AuthenticationPackages" Accessibility="Internal" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="MultiStringRegMonitorType" ConfirmDelivery="false">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Security.Monitoring.Monitors.AuthenticationPackages.AlertMessage">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="RegValueBad" MonitorTypeStateID="RegValueBad" HealthState="Error"/>

    <OperationalState ID="RegValueGood" MonitorTypeStateID="RegValueGood" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <IntervalSeconds>300</IntervalSeconds>

    <SyncTime/>

    <RegKey>hklm:\SYSTEM\CurrentControlSet\Control\Lsa</RegKey>

    <RegAttribute>Authentication Packages</RegAttribute>

    <RegValue>msv1_0</RegValue>

  </Configuration>

</UnitMonitor>