In order to improve our desktop security, I tested the “Run As Protected Process Light” functionally for LSA included in Windows 8.1.
Current attacker tools, such as WCE, gsecdump, and Mimikatz, retrieve credentials from LSASS’s memory via injecting themselves into the process or simply reading a process’s memory. Windows 8.1 introduces a new security feature that allows the user to mark LSASS as a protected process. Protected processes enforce greater access control and limit the available interactions non-protected processes can have with a protected process. For example, process injection becomes much harder because only code signed by Microsoft can execute inside of a protected process. Also, protected processes disallow any non-protected process from reading its memory (even if the user is running as an administrator or system). This breaks current attacker tools.
– National Security Agency: Reducing the Effectiveness of Pass-The-Hash
“This breaks current attacker tools.”
It also broke our Windows 10 desktops. Even though I enabled Lsass.exe auditing to see if we had any programs which were going to cause us issues, Microsoft’s
sspisrv.dll was not flagged.
Enable RunAsPPL on Windows 10, Reboot Windows 10, Watch Windows 10 go into Recovery Mode.