How to bypass AM-PPL (Antimalware Protected Process Light) and disable EDRs - a Red Teamer's story
Microsoft introduced the Antimalware Protected Process Light (AM-PPL) technology in Windows 8.1 whose purpose is to ensure that the operating system only loads trusted services and processes. In essence, PPL is used for controlling and protecting running processes and protecting them from infection by malicious code and the potentially harmful effects of other processes. How effective is AM-PPL and can it be abused to bypass AV/EDR products? In this talk, we'll introduce our research on abusing the AM-PPL technology to effectively bypass AVs and EDR products on a Windows system.
Stephen is the Red Team lead at Avast and is a security professional with industry experience across multiple business sectors including finance and telecommunications. He held the deputy CISO/Ethical Hacker role at Dutch telecommunications company KPN and security consultant positions in the telecommunications and IT space, including at Verizon Business and Siemens. His areas of research include mobile network security and he has previously presented at various security conferences including Hack In the Box , 44 Con and Ruxcon.
Juan Sacco is the Red Team co-team lead at Avast and is an exploit writer, reverse engineer and is the author and main dev of Exploit Pack. He has presented and provided training at numerous security conferences including BlackHat and Hack in The Box.