Being an offensive security operator, it's crucial to evade the protective measures in place on Windows systems and successfully extract secure processes from memory, such as LSASS.exe. The defensive tools integrated into Windows and those provided by security product vendors continually improve. Consequently, red team professionals must develop new tools or heavily modify existing ones to counter these evolving defense tooling and techniques.
There is a new tool named PPLBlade which is a process memory dumper tool to bypass PPL and avoid detections, developed by pepperoni in the following Github repository: https://github.com/tastypepperoni/PPLBlade This is simply a Protected Process Dumper Tool which supports the obfuscation of memory dumps such as LSASS process dumps and facilitates dump file transfer to remote machines without the need to save them onto the disk.
I was interested in experimenting with this program to gauge its effectiveness in extracting credentials from a secured LSASS process, evading Windows Defender.
Capabilities of PPLBlade as mentioned by the author: 1. Bypassing Windows PPL protection 2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms 3. Uploading memory dump file with RAW and SMB upload methods without writing it onto the disk
Quoting the following article: https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-#introduction In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. Protected Process Light (PPL) technology is used for controlling and protecting running processes and protecting them from infection by malicious code and the potentially harmful effects of other processes.
PPLBlade abuses PROCEXP152.sys to bypass PPL and obtain a PROCESS_ALL_ACCESS handle to a process protected by PPL. Activities such as process termination, dumping memory etc. are possible after obtaining the PROCESS_ALL_ACCESS handle to a protected process.
PPLBlade uses a custom callback function based on MiniDumpWriteDump that will receive the bytes of a process dump, and store the bytes in the memory, instead of touching the disk. The data stored in the memory can be obfuscated/XOR-ed and dropped on the disk. These steps help us to successfully evade the Defender signature-based detection for the dump files.
Here is a short video made during the experiments with PPLBlade, just to showcase the basic functionality to bypass PPL and signature detections.
Basic usage as shown in the above video, which uses PROCEXP152.sys to dump LSASS.exe and obfuscate the file before touching the disk:
PPLBlade.exe --mode dothatlsassthing --obfuscate
Deobfuscate memory dump: [It was not shown in the video.]
PPLBlade.exe --mode descrypt --dumpname PPLBlade.dmp --key PPLBlade
PPLBlade GitHub Repository: https://github.com/tastypepperoni/PPLBlade Detailed technical blog post by pepperoni: https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-and-ppl-protection-in-go-7dd85d9a32e6
Last updated on 02 Sep 2023
Go back to Adversary Tactics