← LibraryTechnique entry
EDR-PPL-BYPASSDefense Evasion
Protected Process Light (PPL) Bypass
Process Hacker / kernel-mode driver loads as PPL via abused signed binaries (PPLDump / PPLMedic) — read LSASS even when WDAC PPL is enabled.
§ Where this technique fits
EDR-PPL-BYPASS is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 0 approved dossiers in the registry, typically.