Privileged Process Integrity
Techniques Addressed by Mitigation |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | T1547.002 | Boot or Logon Autostart Execution: Authentication Package |
Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key |
T1547.005 | Security Support Provider |
Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key |
||
T1547.008 | LSASS Driver |
On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key |
||
Enterprise | T1556 | Modify Authentication Process |
Enabled features, such as Protected Process Light (PPL), for LSA.(Citation: Microsoft LSA) |
|
T1556.001 | Domain Controller Authentication |
Enabled features, such as Protected Process Light (PPL), for LSA.(Citation: Microsoft LSA) |
||
Enterprise | T1003 | OS Credential Dumping |
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.(Citation: Microsoft LSA) |
|
T1003.001 | LSASS Memory |
On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.(Citation: Microsoft LSA) |
References
- Microsoft. (2014, March 12). Configuring Additional LSA Protection. Retrieved November 27, 2017.
- Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.
- Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved June 24, 2015.
- Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.