The sub-techniques beta is now live! Read the release blog post for more info.

Privileged Process Integrity

Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

ID: M1025
Version: 1.0
Created: 06 June 2019
Last Modified: 06 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1131 Authentication Package

Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all DLLs loaded by LSA to be signed by Microsoft.

Enterprise T1003 Credential Dumping

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[1]

Enterprise T1101 Security Support Provider

Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft.

References