LSASS Protection Policy Disabled via Registry Modification
Attackers may disable Protected Process Light (PPL) protection for the LSASS process by modifying specific registry keys, allowing for credential dumping and other malicious activities.
Attackers frequently target the LSASS process to extract credentials and other sensitive information. Windows implements Protected Process Light (PPL) as a defense mechanism to prevent unauthorized access to LSASS. This attack involves modifying specific registry keys to disable this protection, potentially occurring post-exploitation. Once PPL is disabled, attackers can more easily dump credentials, inject malicious code, and perform other actions to escalate their privileges and move laterally within the compromised environment. Disabling LSASS protection is a common step in many credential harvesting attack chains.
Attack Chain
- The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
- The attacker escalates privileges to an administrator or SYSTEM level, often leveraging known exploits or misconfigurations.
- The attacker modifies the registry key
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ProtectionModeto a value of0, effectively disabling LSASS PPL. This is often done using tools likereg.exeor PowerShell. - The attacker uses credential dumping tools like
Mimikatzor custom scripts to extract credentials from the LSASS process memory. - The attacker uses the stolen credentials to gain access to other systems or resources within the network (lateral movement).
- The attacker performs reconnaissance to identify high-value targets and data.
- The attacker exfiltrates sensitive data or deploys ransomware to achieve their final objective.
Impact
Disabling LSASS PPL can lead to widespread credential compromise, allowing attackers to gain access to sensitive data and systems within the organization. This can result in significant financial loss, reputational damage, and disruption of business operations. Successful credential dumping can expose domain administrator accounts, effectively giving the attacker complete control over the network. Depending on the scope of access achieved with the compromised credentials, the impact could range from targeted data theft to full-scale ransomware deployment across the network.
Detection coverage 2
LSASS PPL Disabled via Registry Modification
highDetects modification of the ProtectionMode registry key to disable LSASS PPL.
Process creating registry key to disable LSASS PPL
mediumDetects a process creating the registry key related to disable LSASS PPL. Useful to detect if the key did not exist prior to the attack
Detection queries are available on the platform. Get full rules →