You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/windows-hardening/av-bypass.md
+79Lines changed: 79 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -755,10 +755,89 @@ After replacing the original files and restarting the service stack:
755
755
756
756
This case study demonstrates how purely client-side trust decisions and simple signature checks can be defeated with a few byte patches.
757
757
758
+
## Abusing Protected Process Light (PPL) To Tamper AV/EDR With LOLBINs
759
+
760
+
Protected Process Light (PPL) enforces a signer/level hierarchy so that only equal-or-higher protected processes can tamper with each other. Offensively, if you can legitimately launch a PPL-enabled binary and control its arguments, you can convert benign functionality (e.g., logging) into a constrained, PPL-backed write primitive against protected directories used by AV/EDR.
761
+
762
+
What makes a process run as PPL
763
+
- The target EXE (and any loaded DLLs) must be signed with a PPL-capable EKU.
764
+
- The process must be created with CreateProcess using the flags: `EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS`.
765
+
- A compatible protection level must be requested that matches the signer of the binary (e.g., `PROTECTION_LEVEL_ANTIMALWARE_LIGHT` for anti-malware signers, `PROTECTION_LEVEL_WINDOWS` for Windows signers). Wrong levels will fail at creation.
766
+
767
+
See also a broader intro to PP/PPL and LSASS protection here:
768
+
769
+
{{#ref}}
770
+
stealing-credentials/credentials-protections.md
771
+
{{#endref}}
772
+
773
+
Launcher tooling
774
+
- Open-source helper: CreateProcessAsPPL (selects protection level and forwards arguments to the target EXE):
- The signed system binary `C:\Windows\System32\ClipUp.exe` self-spawns and accepts a parameter to write a log file to a caller-specified path.
788
+
- When launched as a PPL process, the file write occurs with PPL backing.
789
+
- ClipUp cannot parse paths containing spaces; use 8.3 short paths to point into normally protected locations.
790
+
791
+
8.3 short path helpers
792
+
- List short names: `dir /x` in each parent directory.
793
+
- Derive short path in cmd: `for %A in ("C:\ProgramData\Microsoft\Windows Defender\Platform") do @echo %~sA`
794
+
795
+
Abuse chain (abstract)
796
+
1) Launch the PPL-capable LOLBIN (ClipUp) with `CREATE_PROTECTED_PROCESS` using a launcher (e.g., CreateProcessAsPPL).
797
+
2) Pass the ClipUp log-path argument to force a file creation in a protected AV directory (e.g., Defender Platform). Use 8.3 short names if needed.
798
+
3) If the target binary is normally open/locked by the AV while running (e.g., MsMpEng.exe), schedule the write at boot before the AV starts by installing an auto-start service that reliably runs earlier. Validate boot ordering with Process Monitor (boot logging).
799
+
4) On reboot the PPL-backed write happens before the AV locks its binaries, corrupting the target file and preventing startup.
800
+
801
+
Example invocation (paths redacted/shortened for safety):
802
+
803
+
```text
804
+
# Run ClipUp as PPL at Windows signer level (1) and point its log to a protected folder using 8.3 names
- You cannot control the contents ClipUp writes beyond placement; the primitive is suited to corruption rather than precise content injection.
810
+
- Requires local admin/SYSTEM to install/start a service and a reboot window.
811
+
- Timing is critical: the target must not be open; boot-time execution avoids file locks.
812
+
813
+
Detections
814
+
- Process creation of `ClipUp.exe` with unusual arguments, especially parented by non-standard launchers, around boot.
815
+
- New services configured to auto-start suspicious binaries and consistently starting before Defender/AV. Investigate service creation/modification prior to Defender startup failures.
816
+
- File integrity monitoring on Defender binaries/Platform directories; unexpected file creations/modifications by processes with protected-process flags.
817
+
- ETW/EDR telemetry: look for processes created with `CREATE_PROTECTED_PROCESS` and anomalous PPL level usage by non-AV binaries.
818
+
819
+
Mitigations
820
+
- WDAC/Code Integrity: restrict which signed binaries may run as PPL and under which parents; block ClipUp invocation outside legitimate contexts.
821
+
- Service hygiene: restrict creation/modification of auto-start services and monitor start-order manipulation.
822
+
- Ensure Defender tamper protection and early-launch protections are enabled; investigate startup errors indicating binary corruption.
823
+
- Consider disabling 8.3 short-name generation on volumes hosting security tooling if compatible with your environment (test thoroughly).
824
+
825
+
References for PPL and tooling
826
+
- Microsoft Protected Processes overview: https://learn.microsoft.com/windows/win32/procthread/protected-processes
-[Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/)
761
835
-[Synacktiv – Should you trust your zero trust? Bypassing Zscaler posture checks](https://www.synacktiv.com/en/publications/should-you-trust-your-zero-trust-bypassing-zscaler-posture-checks.html)
762
836
-[Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations](https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/)
-[Zero Salarium – Countering EDRs With The Backing Of Protected Process Light (PPL)](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html)
0 commit comments