1. Home
  2. Mitigations
  3. Privileged Process Integrity

Privileged Process Integrity

Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

ID: M1025
Version: 1.1
Created: 06 June 2019
Last Modified: 20 May 2020
Enterprise Layer
download view

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1547 .002 Boot or Logon Autostart Execution: Authentication Package

Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all DLLs loaded by LSA to be signed by Microsoft. [1] [2]
.005 Boot or Logon Autostart Execution: Security Support Provider

Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft. [1] [2]
.008 Boot or Logon Autostart Execution: LSASS Driver

On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to dword:00000001. [3] LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.

Enterprise T1556 Modify Authentication Process

Enabled features, such as Protected Process Light (PPL), for LSA.[4]
.001 Domain Controller Authentication

Enabled features, such as Protected Process Light (PPL), for LSA.[4]
Enterprise T1003 OS Credential Dumping

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[4]
.001 LSASS Memory

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[4]

References

  1. Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
  2. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.
  1. Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.
  2. Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.