Passing The Hash Protection, RunAsPPL, and breaking Windows 10

Windows_10_Logo_svgIn order to improve our desktop security, I tested the “Run As Protected Process Light” functionally for LSA included in Windows 8.1.

Current attacker tools, such as WCE, gsecdump, and Mimikatz, retrieve credentials from LSASS’s memory via injecting themselves into the process or simply reading a process’s memory. Windows 8.1 introduces a new security feature that allows the user to mark LSASS as a protected process. Protected processes enforce greater access control and limit the available interactions non-protected processes can have with a protected process. For example, process injection becomes much harder because only code signed by Microsoft can execute inside of a protected process. Also, protected processes disallow any non-protected process from reading its memory (even if the user is running as an administrator or system). This breaks current attacker tools.
National Security Agency: Reducing the Effectiveness of Pass-The-Hash

“This breaks current attacker tools.”

It also broke our  Windows 10 desktops.  Even though I enabled Lsass.exe auditing to see if we had any programs which were going to cause us issues, Microsoft’s sspisrv.dll was not flagged.

Enable RunAsPPL on Windows 10, Reboot Windows 10, Watch Windows 10 go into Recovery Mode.

Thanks Microsoft.

References:
New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks
Configuring Additional LSA Protection
Security Support Provider Interface Architecture