You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
pp-ppl
About this tag
The pp-ppl tag covers discussions about Windows Protected Processes (PP) and Protected Process Light (PPL), a security feature that restricts access to critical system processes. Content under this tag includes analysis of attacks that bypass PP/PPL protections, such as the Silver Fox campaign using a signed but vulnerable kernel driver (amsdk.sys) to terminate security processes and deliver ValleyRAT. These discussions highlight how threat actors exploit driver vulnerabilities to undermine Windows kernel defenses, including Kernel Mode Code Integrity (KMCI) and Hypervisor-protected Code Integrity (HVCI). The tag is relevant for IT security professionals and Windows users interested in understanding and mitigating advanced kernel-level threats.
Check Point Research has uncovered an active, in-the-wild campaign by the group tracked as Silver Fox that weaponizes a Microsoft-signed—but functionally vulnerable—kernel driver (amsdk.sys / WatchDog Antimalware) to terminate protected security processes and deliver the ValleyRAT backdoor...