🔐 PPLDump
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows.
https://github.com/last-byte/RIPPL
#ad #ppl #lsass #tools
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows.
https://github.com/last-byte/RIPPL
#ad #ppl #lsass #tools
GitHub
GitHub - last-byte/RIPPL: RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows - last-byte/RIPPL
👻 Ghost in the PPL: BYOVDLL
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and the methods employed to load vulnerable DLLs within protected processes.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-1/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 1: BYOVDLL
In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and discuss some novel techniques and tricks to load an arbitrary…
🔥12😱3❤1
APT
👻 Ghost in the PPL: BYOVDLL This blog post explores bypassing LSA Protection in Userland through the "Bring Your Own Vulnerable DLL" (BYOVDLL) technique. It also delves into the successful exploitation of vulnerabilities in the CNG Key Isolation service and…
👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/
#lsa #lsass #ppl #dll #maldev
In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting vulnerabilities like CVE-2023-28229, and bypassing Control Flow Guard (CFG) through RPC-based process handle duplication.
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-2/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second part, I’m going to discuss the strategies I considered and…
🔥8
APT
👻 Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS In this second installment, the author deepens the exploration of techniques for bypassing LSASS protection, focusing on arbitrary code execution by refining the PoC, exploiting…
👻 Ghost in the PPL Part 3: LSASS Memory Dump
In the third part of the series, the author explores methods for dumping the memory of LSASS, including indirectly calling
🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-3/
#lsa #lsass #ppl #dll #maldev
In the third part of the series, the author explores methods for dumping the memory of LSASS, including indirectly calling
MiniDumpWriteDump, loading arbitrary DLLs into LSASS via the WinSock2 Autodial feature, and dynamically resolving addresses.🔗 Source:
https://itm4n.github.io/ghost-in-the-ppl-part-3/
#lsa #lsass #ppl #dll #maldev
itm4n’s blog
Ghost in the PPL Part 3: LSASS Memory Dump
Back to the Basics: MiniDumpWriteDump
🔥7👍6
🛡CreateProcessAsPPL
This is a utility for running processes with Protected Process Light (PPL) protection, enabling bypass of EDR/AV solution defensive mechanisms. It leverages legitimate Windows clipup.exe functionality from System32 to create protected processes that can overwrite antivirus service executable files.
🔗 Source:
https://github.com/2x7EQ13/CreateProcessAsPPL
🔗 Research:
https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
#av #edr #bypass #ppl
This is a utility for running processes with Protected Process Light (PPL) protection, enabling bypass of EDR/AV solution defensive mechanisms. It leverages legitimate Windows clipup.exe functionality from System32 to create protected processes that can overwrite antivirus service executable files.
🔗 Source:
https://github.com/2x7EQ13/CreateProcessAsPPL
🔗 Research:
https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
#av #edr #bypass #ppl
1👍10❤5