M1025 Privileged Process Integrity
Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.
| Item | Value |
|---|---|
| ID | M1025 |
| Version | 1.1 |
| Created | 06 June 2019 |
| Last Modified | 20 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.002 | Authentication Package | Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all DLLs loaded by LSA to be signed by Microsoft. 2 3 |
| enterprise | T1547.005 | Security Support Provider | Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft. 2 3 |
| enterprise | T1547.008 | LSASS Driver | On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to dword:00000001. 4 LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance. |
| enterprise | T1556 | Modify Authentication Process | Enabled features, such as Protected Process Light (PPL), for LSA.1 |
| enterprise | T1556.001 | Domain Controller Authentication | Enabled features, such as Protected Process Light (PPL), for LSA.1 |
| enterprise | T1003 | OS Credential Dumping | |
| On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.1 | |||
| enterprise | T1003.001 | LSASS Memory | On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.1 |
References
-
Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015. ↩↩↩↩
-
Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017. ↩↩
-
Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015. ↩↩
-
Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017. ↩