as written in this blogpost mimikatz is an amazing tool to read password from a Window machine (either LSASS process, or Registry keys and other means).
How can we defend against it ?
Run LSASS process as “RunAsPPL” https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection by adding simply the following Registry key
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA” /v RunAsPPL /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest” /v UseLogonCredential /t REG_DWORD /d 0 /f
to check or for red teams,
reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA” /v RunAsPPL
or in powershell script :
$regkey_property_name = ‘RunAsPPL’
$regkey = get-item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’
$regkey.GetValue($regkey_property_name)
or Run Credential-guard https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage but it requires Hyper-V (which clashes sometimes with VMware player)
to check or for red teams,
reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA” /v LsaCfgFlags
or in powershell script :
$regkey_property_name = ‘LsaCfgFlags’
$regkey = get-item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\LSA’
$regkey.GetValue($regkey_property_name)
or use Palo Alto Cortex XDR (prevent & Pro), and enable the anti-mimikatz module
(even do it’s not fullproof as written here : https://skelsec.medium.com/play-with-katz-get-scratched-6c2c350fadf2 )
Another way to defend against Leaving SSO password hashes in the LSAS process is when using privileges account make them part of “Protected Used Group” https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
In an domain environment, best practice would be to deploy Local Administrator Password Solution (LAPS) / https://www.microsoft.com/en-us/download/details.aspx?id=46899 ) . A microsoft solution I recommend. This enable to create for each machine of a domain of a unique password for a local administrator. The password is then stored in the Active Directory with the proper ACL. There are tons of documentation on it out there.
How to check if LAPS has been deployed on a machine Check Reg Key HKLM:\Software\Policies\Microsoft Services\AdmPwd – AdmPwdEnabled
or in Powershell : (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd").AdmPwdEnabled`
Nice video from CQURE : https://www.youtube.com/watch?v=WD2cBKRvERc
0
Recent Comments