<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ppl - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ppl/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ppl/feed.xml" rel="self" type="application/rss+xml"/><item><title>LSASS Protection Policy Disabled via Registry Modification</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-lsass-ppl-disabled/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-lsass-ppl-disabled/</guid><description>Attackers may disable Protected Process Light (PPL) protection for the LSASS process by modifying specific registry keys, allowing for credential dumping and other malicious activities.</description><content:encoded><![CDATA[<p>Attackers frequently target the LSASS process to extract credentials and other sensitive information. Windows implements Protected Process Light (PPL) as a defense mechanism to prevent unauthorized access to LSASS. This attack involves modifying specific registry keys to disable this protection, potentially occurring post-exploitation. Once PPL is disabled, attackers can more easily dump credentials, inject malicious code, and perform other actions to escalate their privileges and move laterally within the compromised environment. Disabling LSASS protection is a common step in many credential harvesting attack chains.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).</li>
<li>The attacker escalates privileges to an administrator or SYSTEM level, often leveraging known exploits or misconfigurations.</li>
<li>The attacker modifies the registry key <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ProtectionMode</code> to a value of <code>0</code>, effectively disabling LSASS PPL. This is often done using tools like <code>reg.exe</code> or PowerShell.</li>
<li>The attacker uses credential dumping tools like <code>Mimikatz</code> or custom scripts to extract credentials from the LSASS process memory.</li>
<li>The attacker uses the stolen credentials to gain access to other systems or resources within the network (lateral movement).</li>
<li>The attacker performs reconnaissance to identify high-value targets and data.</li>
<li>The attacker exfiltrates sensitive data or deploys ransomware to achieve their final objective.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Disabling LSASS PPL can lead to widespread credential compromise, allowing attackers to gain access to sensitive data and systems within the organization. This can result in significant financial loss, reputational damage, and disruption of business operations. Successful credential dumping can expose domain administrator accounts, effectively giving the attacker complete control over the network. Depending on the scope of access achieved with the compromised credentials, the impact could range from targeted data theft to full-scale ransomware deployment across the network.</p>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>defense-evasion</category><category>lsass</category><category>ppl</category><category>registry</category></item><item><title>Windows Defender Evasion via Protected Process Light (PPL) Manipulation</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-ppl-defender-evasion/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-ppl-defender-evasion/</guid><description>An attacker can potentially evade Windows Defender by manipulating Protected Process Light (PPL) attributes, allowing malicious processes to operate with elevated privileges and avoid security scans.</description><content:encoded><![CDATA[<p>The technique described involves manipulating the Protected Process Light (PPL) mechanism in Windows to evade Windows Defender. PPL is a security feature designed to protect critical system processes. However, by manipulating PPL attributes, an attacker can potentially elevate the privileges of a malicious process, allowing it to bypass security checks and operate undetected. This can lead to arbitrary code execution and system compromise. The reported research, published on Medium, demonstrates a proof-of-concept of this evasion technique, highlighting the potential vulnerability in Windows security architecture and the need for enhanced detection and mitigation strategies.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).</li>
<li>Attacker elevates privileges to SeDebugPrivilege to allow manipulation of protected processes.</li>
<li>Attacker identifies a target process to inject into (e.g., a legitimate, signed process with a PPL level).</li>
<li>Attacker modifies the PPL attributes of the target process to a less protected level or disables PPL altogether. This may involve direct memory manipulation or other techniques to bypass security checks.</li>
<li>Attacker injects malicious code into the now-vulnerable process. This injected code inherits the process's (modified) PPL attributes.</li>
<li>The injected code executes, bypassing Windows Defender scans due to the manipulated PPL, and performs malicious activities like downloading additional payloads or exfiltrating data.</li>
<li>The attacker establishes persistence through the compromised process or other means.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary code with elevated privileges, effectively bypassing Windows Defender. This can lead to complete system compromise, data theft, or deployment of ransomware. While the number of victims and targeted sectors are unknown, the potential impact is significant given the widespread use of Windows Defender in enterprise environments. Successful evasion allows malware to operate undetected, causing significant damage before discovery.</p>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ppl</category><category>windows-defender</category><category>evasion</category></item></channel></rss>