{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ppl/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","defense-evasion","lsass","ppl","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently target the LSASS process to extract credentials and other sensitive information. Windows implements Protected Process Light (PPL) as a defense mechanism to prevent unauthorized access to LSASS. This attack involves modifying specific registry keys to disable this protection, potentially occurring post-exploitation. Once PPL is disabled, attackers can more easily dump credentials, inject malicious code, and perform other actions to escalate their privileges and move laterally within the compromised environment. Disabling LSASS protection is a common step in many credential harvesting attack chains.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to an administrator or SYSTEM level, often leveraging known exploits or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ProtectionMode\u003c/code\u003e to a value of \u003ccode\u003e0\u003c/code\u003e, effectively disabling LSASS PPL. This is often done using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools like \u003ccode\u003eMimikatz\u003c/code\u003e or custom scripts to extract credentials from the LSASS process memory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain access to other systems or resources within the network (lateral movement).\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify high-value targets and data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware to achieve their final objective.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling LSASS PPL can lead to widespread credential compromise, allowing attackers to gain access to sensitive data and systems within the organization. This can result in significant financial loss, reputational damage, and disruption of business operations. Successful credential dumping can expose domain administrator accounts, effectively giving the attacker complete control over the network. Depending on the scope of access achieved with the compromised credentials, the impact could range from targeted data theft to full-scale ransomware deployment across the network.\u003c/p\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-lsass-ppl-disabled/","summary":"Attackers may disable Protected Process Light (PPL) protection for the LSASS process by modifying specific registry keys, allowing for credential dumping and other malicious activities.","title":"LSASS Protection Policy Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-09-lsass-ppl-disabled/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","Windows Defender"],"_cs_severities":["high"],"_cs_tags":["ppl","windows-defender","evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe technique described involves manipulating the Protected Process Light (PPL) mechanism in Windows to evade Windows Defender. PPL is a security feature designed to protect critical system processes. However, by manipulating PPL attributes, an attacker can potentially elevate the privileges of a malicious process, allowing it to bypass security checks and operate undetected. This can lead to arbitrary code execution and system compromise. The reported research, published on Medium, demonstrates a proof-of-concept of this evasion technique, highlighting the potential vulnerability in Windows security architecture and the need for enhanced detection and mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges to SeDebugPrivilege to allow manipulation of protected processes.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a target process to inject into (e.g., a legitimate, signed process with a PPL level).\u003c/li\u003e\n\u003cli\u003eAttacker modifies the PPL attributes of the target process to a less protected level or disables PPL altogether. This may involve direct memory manipulation or other techniques to bypass security checks.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious code into the now-vulnerable process. This injected code inherits the process's (modified) PPL attributes.\u003c/li\u003e\n\u003cli\u003eThe injected code executes, bypassing Windows Defender scans due to the manipulated PPL, and performs malicious activities like downloading additional payloads or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through the compromised process or other means.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code with elevated privileges, effectively bypassing Windows Defender. This can lead to complete system compromise, data theft, or deployment of ransomware. While the number of victims and targeted sectors are unknown, the potential impact is significant given the widespread use of Windows Defender in enterprise environments. Successful evasion allows malware to operate undetected, causing significant damage before discovery.\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-ppl-defender-evasion/","summary":"An attacker can potentially evade Windows Defender by manipulating Protected Process Light (PPL) attributes, allowing malicious processes to operate with elevated privileges and avoid security scans.","title":"Windows Defender Evasion via Protected Process Light (PPL) Manipulation","url":"https://feed.craftedsignal.io/briefs/2024-01-03-ppl-defender-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed - Ppl","version":"https://jsonfeed.org/version/1.1"}