How to outwit attackers using two Windows registry settings

These Microsoft Windows registry settings will prevent attackers from scheduling tasks that will hide their activities or gain unauthorized access.

Windows security and protection [Windows logo/locks]
Thinkstock / Microsoft

Attackers often use tasks as a means to hide their tracks. They might also use the ability to run tasks with different user rights to gain more access. Earlier, I recommended that you set up auditing to track tasks being set. Now I recommend you harden a setting on your workstations to prevent task scheduling in the first place.

Below are the Microsoft Defender Advanced Threat Protection (ATP) recommended actions:

bradley outwit 1 Susan Bradley

Windows Defender ATP recommendations

The “Domain controller: Allow server operators to schedule tasks” setting determines whether scheduled tasks are forced to run under the context of the authenticated account instead of allowing them to run as SYSTEM. Disabling this setting affects only the ability to schedule jobs using the AT command and does not affect tasks set using Task Scheduler.

 As noted by blogger Randy Franklin Smith, “Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs, which is SYSTEM by default. Non-administrators who can schedule AT commands thus have a means to elevate their privileges. This policy controls whether members of the local Server Operators group can schedule AT jobs. If disabled, only administrators can.”

So, if you haven’t done so already, I recommend setting the following value using registry. Set the following registry value to 0:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl

The SubmitControl key was not on my machine, so you might need to add it. To do so, go to the Registry Hive: HKEY_LOCAL_MACHINE, then to the registry path: \System\CurrentControlSet\Control\LSA\. Add the value name "SubmitControl" as a REG_DWORD of 0.

If you need to set this via Group Policy, go to “Computer Configuration” > “[Policies]” > “Windows Settings” > “Security Settings” > “Local Policies”. Under Security Options, set “Domain Controller: Allow server operators to schedule tasks” to disabled.

bradley outwit 2 Susan Bradley

Setting the value in Group Policy

Using tasks to hide an adversarial activity is a common tool. As noted on the Mitre ATT&CK site, “An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain system privileges, or to run a process under the context of a specified account.”

Persistent threat actors often use task scheduling to target vertical industries. Phishing emails are used to enter the systems and then set the task to be run at a later date. Setting this value ensures that attackers have one less methodology to set a task in your systems.

Enable LSA protection

Another recommended setting is to Enable LSA (Local Security Authority) protection. This protects against pass the pass-the-hash or Mimikatz-style attacks.

bradley outwit 3 Susan Bradley

Enable LSA protection

This requires a registry key to be set:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL

Set the following to a value of 1. First, press the Windows key to go to the Start screen and enter “regedit”. Right-click regedit in the search results and click “Run as administrator” at the bottom of the screen.

In the left pane of Registry Editor, expand HKEY_LOCAL MACHINE > SYSTEM > CurrentControlSet > Control > Lsa. In the right pane, right-click an area of empty space and select “New > DWORD (32-bit) Value” from the menu.

In the new value box, type “RunAsPPL” and press enter. Now double-click the new RunAsPPL value. In the Value data box, type “1” and press “OK”.

Close Registry Editor and restart the computer. Reboot the computer to have it take effect.

bradley outwit 4 Susan Bradley

Enter the value in the Windows registry

Attackers often target this process to harvest credentials using such tools as Mimikatz and perform pass-the-hash attacks. If you have plug-ins in your environment, you may need to set the value to “audit” before you fully enable it to test for the impact in your network.

As Mitre noted:

“On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to dword:00000001. LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance. On Windows 10 and Server 2016, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtualized environment without any device drivers. Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to mitigate risk that lsass.exe loads a malicious code library.”

Take the time to investigate if you have protected yourself against Mimikatz and pass-the-hash techniques by reviewing these settings.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!