Authentication Packages
Location:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System |
| Persistence type | Registry |
| Code type | DLL |
| Launch type | Automatic |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
Authentication packages are contained in dynamic-link libraries. The Local Security Authority (LSA) loads authentication packages by using configuration information stored in the registry.
lsass.exe loads all DLLs specified by the Authentication Packages REG_MULTI_SZ value. The DLL should be placed into %WINDIR%\System32 and referred in the registry without its extension - to load %WINDIR%\System32\msv1_0.dll, msv1_0 only should be entered.
References:
https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-packages