Skip to content
Threat Feed
high advisory

LSASS Protection Policy Disabled via Registry Modification

Attackers may disable Protected Process Light (PPL) protection for the LSASS process by modifying specific registry keys, allowing for credential dumping and other malicious activities.

Attackers frequently target the LSASS process to extract credentials and other sensitive information. Windows implements Protected Process Light (PPL) as a defense mechanism to prevent unauthorized access to LSASS. This attack involves modifying specific registry keys to disable this protection, potentially occurring post-exploitation. Once PPL is disabled, attackers can more easily dump credentials, inject malicious code, and perform other actions to escalate their privileges and move laterally within the compromised environment. Disabling LSASS protection is a common step in many credential harvesting attack chains.

Attack Chain

  1. The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
  2. The attacker escalates privileges to an administrator or SYSTEM level, often leveraging known exploits or misconfigurations.
  3. The attacker modifies the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ProtectionMode to a value of 0, effectively disabling LSASS PPL. This is often done using tools like reg.exe or PowerShell.
  4. The attacker uses credential dumping tools like Mimikatz or custom scripts to extract credentials from the LSASS process memory.
  5. The attacker uses the stolen credentials to gain access to other systems or resources within the network (lateral movement).
  6. The attacker performs reconnaissance to identify high-value targets and data.
  7. The attacker exfiltrates sensitive data or deploys ransomware to achieve their final objective.

Impact

Disabling LSASS PPL can lead to widespread credential compromise, allowing attackers to gain access to sensitive data and systems within the organization. This can result in significant financial loss, reputational damage, and disruption of business operations. Successful credential dumping can expose domain administrator accounts, effectively giving the attacker complete control over the network. Depending on the scope of access achieved with the compromised credentials, the impact could range from targeted data theft to full-scale ransomware deployment across the network.

Detection coverage 2

LSASS PPL Disabled via Registry Modification

high

Detects modification of the ProtectionMode registry key to disable LSASS PPL.

sigma tactics: credential_access, defense_evasion techniques: T1003.001, T1562.001 sources: registry_set, windows

Process creating registry key to disable LSASS PPL

medium

Detects a process creating the registry key related to disable LSASS PPL. Useful to detect if the key did not exist prior to the attack

sigma tactics: credential_access, defense_evasion techniques: T1003.001, T1562.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →