Beyond the Memory: How LSA Whisperer BOF Bypasses PPL and Credential Guard Without Touching LSASS

by ddos · February 23, 2026

LSA Whisperer BOF

A Cobalt Strike Beacon Object File (BOF) port of LSA Whisperer — the tool that talks directly to Windows authentication packages through the LSA untrusted/trusted client interface, without touching LSASS process memory even when PPL and Credential Guard is enabled.

Why This Exists

LSA Whisperer by Evan McBroom (SpecterOps) demonstrated that you can recover DPAPI credential keys, extract cloud SSO tokens, and interact with Kerberos — all through legitimate LsaCallAuthenticationPackage API calls. No memory reads, no process injection, no handles to LSASS.

This project brings those capabilities into C2s as BOFs for use during red team engagements. It never opens a handle to the lsass process and all the calls go through LsaCallAuthenticationPackage (the official client API used to talk to lsass), PPL on LSASS doesn’t matter at all. PPL protects the LSASS process from being opened/read/injected.

Commands

MSV1_0 Module

Command	Description
`lsa-credkey [LUID]`	Recover DPAPI credential key. Works with Credential Guard.
`lsa-strongcredkey [LUID]`	Recover strong DPAPI credential key (Win10+).
`lsa-ntlmv1 [LUID] [challenge]`	Generate NTLMv1 response with chosen challenge. Default challenge `1122334455667788` is compatible with crack.sh rainbow tables.

Kerberos Module

Command	Description
`lsa-klist [LUID]`	List cached Kerberos tickets.
`lsa-dump [LUID]`	Dump all tickets as base64 `.kirbi` blobs with session keys.
`lsa-purge [LUID] [server]`	Purge tickets. Supports selective purge by server name.

CloudAP Module

Command	Description
`lsa-ssocookie [LUID]`	Extract Entra ID (Azure AD) SSO cookie via AAD plugin.
`lsa-devicessocookie [LUID]`	Extract device SSO cookie.
`lsa-enterprisesso [LUID]`	Extract AD FS enterprise SSO cookie.
`lsa-cloudinfo [LUID]`	Query cloud provider info, TGT status, DPAPI status.