LSASS Credential Dumping × Microsoft Windows LSA Protection (PPL)

A publicly-reported instance of LSASS Credential Dumping bypassing Microsoft Windows LSA Protection (PPL), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows LSA Protection (PPL)

Technique

LSASS Credential Dumping

MITRE ATT&CK

T1003.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-06-13

Config / version noted

Not stated

Provenance

undercodetesting.com
disclosed 2025-06-13 · original source · via exa

Reported as

bypass Windows LSA Protection by directly manipulating the EPROCESS structure's Protection field

Mechanism

Attacker with kernel debugging access uses WinDbg to locate the LSASS EPROCESS structure, overwrites the Protection byte (offset within _PS_PROTECTION) from 0x61 (PPL) to 0x00, disabling LSA Protection. Then, Mimikatz's sekurlsa::logonpasswords extracts plaintext passwords, NTLM hashes, and Kerberos tickets. Alternatively, a custom C++ tool uses OpenProcess and WriteProcessMemory to patch the protection byte.

Detection & mitigation

Monitor for suspicious kernel debugging activity (e.g., WinDbg execution, SeDebugPrivilege use) and unexpected modifications to LSASS process protection via ETW or kernel callbacks. Enforce Hypervisor-Protected Code Integrity (HVCI) and Credential Guard to prevent kernel tampering, and restrict debug privileges to authorized users.

LSASS Credential Dumping has also been recorded against

Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.