LSA Whisperer: The LSASS Heist That Bypasses PPL, Credential Guard, and Every EDR on Your Network + Video

Listen to this Post

Featured Image

Introduction:

For years, red team operations have revolved around a cat-and-mouse game with LSASS. Defenders hardened the process with Protected Process Light (PPL), attackers responded with kernel drivers to kill PPL, and Sysmon logged every handle operation as Event ID 10. However, a technique released by SpecterOps and ported to a Beacon Object File (BOF) by Arun N. has rendered these defensive layers obsolete. Instead of attacking the process memory, this method simply asks LSASS politely for the credentials using legitimate Microsoft Authentication Packages—no handles, no injection, and no memory reads.

Learning Objectives:

  • Understand the architecture of LSASS and its Authentication Packages.
  • Learn how to extract DPAPI keys, Kerberos tickets, and Entra ID (Azure AD) tokens without touching process memory.
  • Implement and detect the LsaCallAuthenticationPackage technique in modern networks.

You Should Know:

  1. The Anatomy of LSA Whisperer: How It Bypasses Everything

Traditional credential dumping (like Mimikatz’s sekurlsa::logonpasswords) requires opening a process handle with `PROCESS_VM_READ` and reading the memory regions of LSASS. This triggers Sysmon EID 10 and is blocked by PPL. LSA Whisperer uses a completely different vector: it calls `LsaCallAuthenticationPackage` with specific parameters to request data from the authentication packages loaded in LSASS (MSV1_0, Kerberos, CloudAP, etc.).

What the post says: “No LSASS handle opened. No injection into LSASS process. No Sysmon EID 10 and PPL doesn’t matter.”

Step-by-step technical breakdown:

The BOF works by first obtaining an LSA handle via LsaConnectUntrusted. It then enumerates the available authentication packages with LsaLookupAuthenticationPackage. Finally, it crafts specific requests to each package.

// Conceptual C code for calling LSA
HANDLE lsaHandle;
LsaConnectUntrusted(&lsaHandle);

// Get the MSV1_0 package ID
LsaLookupAuthenticationPackage(lsaHandle, &msv1_0_name, &msv1_0_pkgid);

// Prepare the request buffer for DPAPI keys
// Then call:
LsaCallAuthenticationPackage(lsaHandle, msv1_0_pkgid, requestBuffer, 
requestSize, &responseBuffer, &responseSize, &subStatus);

Windows Defender / EDR Perspective:

From a defensive standpoint, this call is “trusted” because it originates from a process that has authenticated to LSA. The BOF runs inside a Beacon process that has already called LsaConnectUntrusted, making the subsequent calls appear legitimate.

2. Extracting DPAPI Credential Keys Through Credential Guard

Credential Guard isolates and protects secrets using virtualization-based security. Memory dumping tools fail against it. However, the MSV1_0 authentication package still holds the DPAPI keys for the logged-on users because applications (like Chrome, Edge, and Outlook) need to decrypt data.

The BOF command:

lsa-whisperer dump /package:msv1_0 /type:dpapi

What happens under the hood:

The BOF sends a `MSV1_0_SUBAUTH_REQUEST` with specific sub-authentication parameters that return the master DPAPI keys. These keys can then be used to decrypt any DPAPI-protected data (Chrome passwords, RDP credentials, etc.) offline.

Linux Equivalent (if dealing with cross-platform):

Linux uses different mechanisms (kernel keyrings, GNOME keyring), but the concept of asking the authentication service for keys exists in SSSD or Winbind:

 Check for kerberos tickets on Linux
klist
 Extract keytab if possible
ktutil
  1. Kerberos Ticket Dumping and Purging via Kerberos Package

Instead of reading tickets from memory, the BOF calls the Kerberos authentication package with a KERB_RETRIEVE_TICKET_REQUEST. This returns all cached tickets, including service tickets and TGTs, in their encrypted form. They can then be passed to tools like Rubeus for offline cracking or pass-the-ticket.

Step-by-step usage:

1. List all tickets:

lsa-whisperer dump /package:kerberos /type:tickets

2. Purge tickets (for stealth or to force re-authentication):

lsa-whisperer purge /package:kerberos

Detection Opportunity:

While the call itself is hard to block, a sudden purge of Kerberos tickets followed by a network connection to a Domain Controller (AS-REQ) might indicate an attacker forcing a new TGT to capture it.

  1. Entra ID (Azure AD) SSO Cookies via CloudAP

Modern hybrid-joined machines use CloudAP (Cloud Authentication Package) to manage Primary Refresh Tokens (PRTs) for Entra ID. The LSA Whisperer BOF can request these cookies directly.

The command:

lsa-whisperer dump /package:cloudap /type:prt

What you get:

The PRT and its derived cookies. These can be injected into a browser session (using tools like `https://github.com/secureworkload/PRT-Assistant` or manually via Chrome debugger) to access Office365, Teams, and Azure Portal as the user, completely bypassing MFA because the PRT is the MFA claim.

Manual extraction concept:

Without the BOF, one could attempt to extract from the Windows Token Broker, but it’s significantly harder and requires SYSTEM privileges. The BOF does it from user context.

5. NTLMv1 Downgrade Attack Bypassing LmCompatLevel

This is the most aggressive feature. By manipulating the MSV1_0 authentication package calls, the BOF can force the machine to send NTLMv1 responses even if `LmCompatLevel` is set to send NTLMv2 (the default since Windows 2000). NTLMv1 is trivially cracked (seconds on modern GPUs).

How it works:

The BOF modifies the Netlogon settings for the session or injects a custom `NEGOTIATE_MESSAGE` that tells the server the client only supports NTLMv1.

Verification command (on compromised machine):

Check current policy:

Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" -Name LmCompatibilityLevel

After running the BOF’s downgrade, any outbound NTLM authentication will use the weaker v1.

Network capture detection:

Look for NTLMSSP negotiations where the flags indicate v1 instead of v2. In Wireshark, filter for `ntlmssp.messagetype == 1` and check the Negotiate Flags field.

What Undercode Say:

Key Takeaway 1: The era of “harden LSASS and call it a day” is over. Defenders must monitor the usage of authentication packages, not just process access. Look for anomalous processes (like beacons) calling `LsaCallAuthenticationPackage` with package IDs they don’t normally use.

Key Takeaway 2: Cloud and on-premise secrets are now equally exposed. The ability to extract Entra ID PRTs from a workstation means that compromising a single hybrid-joined device can lead to full cloud compromise without ever touching Azure AD directly.

Analysis: This technique represents a paradigm shift in credential access. By abusing trusted OS interfaces rather than attacking memory, it bypasses almost all userland EDR hooks. The only reliable detection lies in deep API call stack analysis—specifically, what called `LsaCallAuthenticationPackage` and what arguments were passed. Additionally, network-level monitoring for anomalous Kerberos traffic or NTLMv1 downgrades becomes critical. As offensive tooling evolves to use these “living off the land” binaries (or in this case, living off the land API calls), defenders must shift focus from “what is the attacker doing” to “what is the process doing that is different from its baseline.”

Prediction:

Microsoft will likely respond by adding additional signing requirements to `LsaCallAuthenticationPackage` for sensitive operations, perhaps requiring a specific process integrity level or a Microsoft-signed binary. This will force attackers to either find a new package to abuse or combine this technique with a code-signing certificate theft. In the short term, expect a wave of BOFs and .NET implementations of this technique, making it a staple in every red team’s arsenal for the next 12-18 months.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky