MITRE ATT&CK Technique
Persistence T1131
Description

Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages) Adversaries can use the autostart mechanism provided by LSA Authentication Packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.

Supported Platforms
Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:31:43.135Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Windows Authentication Package DLLs are loaded by the Local '
                'Security Authority (LSA) process at system start. They '
                'provide support for multiple logon processes and multiple '
                'security protocols to the operating system. (Citation: MSDN '
                'Authentication Packages)\n'
                '\n'
                'Adversaries can use the autostart mechanism provided by LSA '
                'Authentication Packages for persistence by placing a '
                'reference to a binary in the Windows Registry location '
                '<code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\</code> '
                'with the key value of <code>"Authentication Packages"=<target '
                'binary></code>. The binary will then be executed by the '
                'system when the authentication packages are loaded.',
 'external_references': [{'external_id': 'T1131',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1131'},
                         {'description': 'Microsoft. (n.d.). Authentication '
                                         'Packages. Retrieved March 1, 2017.',
                          'source_name': 'MSDN Authentication Packages',
                          'url': 'https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx'},
                         {'description': 'Graeber, M. (2014, October). '
                                         'Analysis of Malicious Security '
                                         'Support Provider DLLs. Retrieved '
                                         'March 1, 2017.',
                          'source_name': 'Graeber 2014',
                          'url': 'http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html'},
                         {'description': 'Microsoft. (2013, July 31). '
                                         'Configuring Additional LSA '
                                         'Protection. Retrieved June 24, 2015.',
                          'source_name': 'Microsoft Configure LSA',
                          'url': 'https://technet.microsoft.com/en-us/library/dn408187.aspx'}],
 'id': 'attack-pattern--52d40641-c480-4ad5-81a3-c80ccaddf82d',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'}],
 'modified': '2025-10-24T17:48:47.390Z',
 'name': 'Authentication Package',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About