Elastic Defend - Credential Harderning

What does the "Credential hardening"-setting in Elastic Defend-integration do for Windows-endpoints when active?

Does it simply set the RunasPPL registry key?

We have thirdparty components involved in authentication and there is no Detect/Prevent-toggle for this one like on Ransomware/Malware etc.

Hi @slash24 - great question.

Credential Hardening filters handles granted to LSASS, stripping out abusable rights such as PROCESS_VM_READ. It provides protection that partially overlaps with RunAsPPL, with some key differences.

Unlike RunAsPPL, Credential Hardening protects LSASS against handle abuse even by higher-privileged processes. This stops attacks that bypass RunAsPPL by injecting code into higher-privileged PPL, such as PPLFault.

Unlike Credential Hardening, RunAsPPL ensures LSASS can only load DLLs signed by Microsoft, blocking SSP and Authentication Package DLL injection. Defend has behavioral rules to detect and stop these types of attacks, but the approach is different than RunAsPPL. Some environments require custom authentication package DLLs and are thus incompatible with RunAsPPL.

We recommend enabling both Credential Hardening and RunAsPPL together wherever possible. For RunAsPPL, enable the UEFI lock if your environment supports it.

2 Likes