Skip to content

M1025 Privileged Process Integrity

Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

Item Value
ID M1025
Version 1.1
Created 06 June 2019
Last Modified 20 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.002 Authentication Package Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all DLLs loaded by LSA to be signed by Microsoft. 2 3
enterprise T1547.005 Security Support Provider Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft. 2 3
enterprise T1547.008 LSASS Driver On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to dword:00000001. 4 LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.
enterprise T1556 Modify Authentication Process Enabled features, such as Protected Process Light (PPL), for LSA.1
enterprise T1556.001 Domain Controller Authentication Enabled features, such as Protected Process Light (PPL), for LSA.1
enterprise T1003 OS Credential Dumping
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.1
enterprise T1003.001 LSASS Memory On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.1

References