Privileged Process Integrity

Privileged Process Integrity focuses on defending highly privileged processes (e.g., system services, antivirus, or authentication processes) from tampering, injection, or compromise by adversaries. These processes often interact with critical components, making them prime targets for techniques like code injection, privilege escalation, and process manipulation. This mitigation can be implemented through the following measures:

Protected Process Mechanisms:

Enable RunAsPPL on Windows systems to protect LSASS and other critical processes.
Use registry modifications to enforce protected process settings: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL

Anti-Injection and Memory Protection:

Enable Control Flow Guard (CFG), DEP, and ASLR to protect against process memory tampering.
Deploy endpoint protection tools that actively block process injection attempts.

Code Signing Validation:

Implement policies for Windows Defender Application Control (WDAC) or AppLocker to enforce execution of signed binaries.
Ensure critical processes are signed with valid certificates.

Access Controls:

Use DACLs and MIC to limit which users and processes can interact with privileged processes.
Disable unnecessary debugging capabilities for high-privileged processes.

Kernel-Level Protections:

Ensure Kernel Patch Protection (PatchGuard) is enabled on Windows systems.
Leverage SELinux or AppArmor on Linux to enforce kernel-level security policies.

Tools for Implementation

Protected Process Light (PPL):

RunAsPPL (Windows)
Windows Defender Credential Guard

Code Integrity and Signing:

Windows Defender Application Control (WDAC)
AppLocker
SELinux/AppArmor (Linux)

Memory Protection:

Control Flow Guard (CFG), Data Execution Prevention (DEP), ASLR

Process Isolation/Sandboxing:

Firejail (Linux Sandbox)
Windows Sandbox
QEMU/KVM-based isolation

Kernel Protection:

PatchGuard (Windows Kernel Patch Protection)
SELinux (Mandatory Access Control for Linux)
AppArmor

ID: M1025

Version: 1.2

Created: 06 June 2019

Last Modified: 18 December 2024

Version Permalink

Live Version

Techniques Addressed by Mitigation

Domain	ID		Name	Use
Enterprise	T1547	.002	Boot or Logon Autostart Execution: Authentication Package	Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`, which requires all DLLs loaded by LSA to be signed by Microsoft. ^[1] ^[2]
		.005	Boot or Logon Autostart Execution: Security Support Provider	Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`, which requires all SSP DLLs to be signed by Microsoft. ^[1] ^[2]
		.008	Boot or Logon Autostart Execution: LSASS Driver	On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL` to `dword:00000001`. ^[3] LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.
Enterprise	T1556		Modify Authentication Process	Enabled features, such as Protected Process Light (PPL), for LSA.^[4]
		.001	Domain Controller Authentication	Enabled features, such as Protected Process Light (PPL), for LSA.^[4]
Enterprise	T1003		OS Credential Dumping	On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.^[4]
		.001	LSASS Memory	On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.^[4]

Privileged Process Integrity

Enterprise Layer

Techniques Addressed by Mitigation

References