M1025 Privileged Process Integrity

Privileged Process Integrity focuses on defending highly privileged processes (e.g., system services, antivirus, or authentication processes) from tampering, injection, or compromise by adversaries. These processes often interact with critical components, making them prime targets for techniques like code injection, privilege escalation, and process manipulation. This mitigation can be implemented through the following measures:

Protected Process Mechanisms:

Enable RunAsPPL on Windows systems to protect LSASS and other critical processes.
Use registry modifications to enforce protected process settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL

Anti-Injection and Memory Protection:

Enable Control Flow Guard (CFG), DEP, and ASLR to protect against process memory tampering.
Deploy endpoint protection tools that actively block process injection attempts.

Code Signing Validation:

Implement policies for Windows Defender Application Control (WDAC) or AppLocker to enforce execution of signed binaries.
Ensure critical processes are signed with valid certificates.

Access Controls:

Use DACLs and MIC to limit which users and processes can interact with privileged processes.
Disable unnecessary debugging capabilities for high-privileged processes.

Kernel-Level Protections:

Ensure Kernel Patch Protection (PatchGuard) is enabled on Windows systems.
Leverage SELinux or AppArmor on Linux to enforce kernel-level security policies.

Tools for Implementation

Protected Process Light (PPL):

RunAsPPL (Windows)
Windows Defender Credential Guard

Code Integrity and Signing:

Windows Defender Application Control (WDAC)
AppLocker
SELinux/AppArmor (Linux)

Memory Protection:

Control Flow Guard (CFG), Data Execution Prevention (DEP), ASLR

Process Isolation/Sandboxing:

Firejail (Linux Sandbox)
Windows Sandbox
QEMU/KVM-based isolation

Kernel Protection:

PatchGuard (Windows Kernel Patch Protection)
SELinux (Mandatory Access Control for Linux)
AppArmor

Item	Value
ID	M1025
Version	1.2
Created	06 June 2019
Last Modified	18 December 2024
Navigation Layer	View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain	ID	Name	Use
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.002	Authentication Package	Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`, which requires all DLLs loaded by LSA to be signed by Microsoft. ² ³
enterprise	T1547.005	Security Support Provider	Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`, which requires all SSP DLLs to be signed by Microsoft. ² ³
enterprise	T1547.008	LSASS Driver	On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL` to `dword:00000001`. ¹ LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.
enterprise	T1556	Modify Authentication Process	Enabled features, such as Protected Process Light (PPL), for LSA.⁴
enterprise	T1556.001	Domain Controller Authentication	Enabled features, such as Protected Process Light (PPL), for LSA.⁴
enterprise	T1003	OS Credential Dumping
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.⁴
enterprise	T1003.001	LSASS Memory	On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.⁴

M1025 Privileged Process Integrity

Techniques Addressed by Mitigation

References