A knowledge base article about ISO security alert for RunAsPPL registry entry on Server 2025 provided by the UC Berkeley IT Service Hub - Knowledge Portal
While this is not specific to the bIT VMware environment we thought this could be useful for self-managed users and the campus in general.
We noticed that Server 2025 can automatically disable LSA protection. We observed that it can take up to one week after the operating system is installed before the entry mentioned below shows up which disables RunAsPPL. This may lead to campus security sending an alert similar to the one below if you have Trellix installed.
LSA PROTECTION DISABLE (METHODOLOGY)
Source: mandiant
The RunAsPPL registry key can be used to establish LSA protection i.e. prevent
dumping of LSASS process. This IOC detects disabling of LSA protection via this
registry key. This is associated with MITRE ATT&CK (r) Tactic(s): Defense
Evasion, Defense Evasion and Technique(s): T1112, T1003.001.
Alerted 28 minutes ago
regKeyEvent/timestamp 2024-12-23 22:33:19Z
regKeyEvent/hive HKEY_LOCAL_MACHINE\SYSTEM
regKeyEvent/keyPath CurrentControlSet\Control\Lsa
regKeyEvent/path
HKEY_LOCAL_MACHINE\SYSTEM\Curr
regKeyEvent/eventType 1
regKeyEvent/pid 6504
regKeyEvent/process SecurityHealthService.exe
regKeyEvent/processPath C:\Windows\System32
regKeyEvent/valueName RunAsPPL
regKeyEvent/valueType REG_DWORD
regKeyEvent/value AAAAAA==
regKeyEvent/text ....
regKeyEvent/username NT AUTHORITY\SYSTEM
We had success getting around the issue by creating a group policy to enable RunAsPPL. Details can be found at
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection