Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/RedCursorSecurityConsulting/PPLKiller

Tool to bypass LSA Protection (aka Protected Process Light)
https://github.com/RedCursorSecurityConsulting/PPLKiller

Last synced: 22 days ago
JSON representation

Tool to bypass LSA Protection (aka Protected Process Light)

Host: GitHub
URL: https://github.com/RedCursorSecurityConsulting/PPLKiller
Owner: RedCursorSecurityConsulting
Created: 2020-07-06T10:11:49.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2022-12-04T23:38:31.000Z (about 2 years ago)
Last Synced: 2024-11-01T07:02:41.274Z (about 1 month ago)
Language: C++
Homepage:
Size: 43 KB
Stars: 888
Watchers: 22
Forks: 135
Open Issues: 7
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - RedCursorSecurityConsulting/PPLKiller - Tool to bypass LSA Protection (aka Protected Process Light) (C++)

README

# PPLKiller
Tool to bypass LSA Protection (aka Protected Process Light)

I’ve noticed there is a common misconception that LSA Protection prevents attacks that leverage SeDebug or Administrative privileges to extract credential material from memory, like Mimikatz. LSA Protection does NOT protect from these attacks, at best it makes them slightly more difficult as an extra step needs to be performed.

Checkout the other tools like PPLKiller:
- https://github.com/itm4n/PPLcontrol (it uses runtime offsets which is a huge improvment since I dont have time to keep PPLKiller updated)
- https://github.com/wavestone-cdt/EDRSandblast (same concept but has more features)
- https://github.com/itm4n/PPLdump (This does the same thing without using a driver, but is now patched in the latest version of Windows)

# Usage and Demo
1. Open PPLKiller.sln with Visual Studio 2019 and build a Release binary which will be saved in PPLKiller\x64\Release\PPLKiller.exe
2. You'll always want to run `PPLKiller.exe /installDriver` first to install the driver
3. Run an attack like `PPLKiller.exe /disableLSAProtection`
4. Cleanup with `PPLKiller.exe /uninstallDriver`

# Video Usage
[![Bypassing LSA Protection](http://img.youtube.com/vi/w2_KqnhgN94/0.jpg)](http://www.youtube.com/watch?v=w2_KqnhgN94 "Bypassing LSA Protection")

# Mitigations
- Use Credential Guard which uses virtualization-based security. This would prevent PPLKiller and PPLdump.
- Use a Microsoft Defender Application Control kernel-mode code integrity policy to restrict which drivers can be loaded. The tool [PPLdump](https://github.com/itm4n/PPLdump), which can disable LSA Protection without loading a driver, could still be used.