Reading Time: < 1 minute

as written in this blogpost mimikatz is an amazing tool to read password from a Window machine (either LSASS process, or Registry keys and other means).

How can we defend against it ?

Run LSASS process as “RunAsPPL” https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection by adding simply the following Registry key

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA” /v RunAsPPL /t REG_DWORD /d 1 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest” /v UseLogonCredential /t REG_DWORD /d 0 /f

to check or for red teams,

reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA” /v RunAsPPL

or in powershell script :

$regkey_property_name = ‘RunAsPPL’
$regkey = get-item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa’
$regkey.GetValue($regkey_property_name)

or Run Credential-guard https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage but it requires Hyper-V (which clashes sometimes with VMware player)

to check or for red teams,

reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA” /v LsaCfgFlags

or in powershell script :

$regkey_property_name = ‘LsaCfgFlags’
$regkey = get-item -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\LSA’
$regkey.GetValue($regkey_property_name)

or use Palo Alto Cortex XDR (prevent & Pro), and enable the anti-mimikatz module

Another way to defend against Leaving SSO password hashes in the LSAS process is when using privileges account make them part of “Protected Used Grouphttps://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

In an domain environment, best practice would be to deploy Local Administrator Password Solution (LAPS) / https://www.microsoft.com/en-us/download/details.aspx?id=46899 ) . A microsoft solution I recommend. This enable to create for each machine of a domain of a unique password for a local administrator. The password is then stored in the Active Directory with the proper ACL. There are tons of documentation on it out there.

How to check if LAPS has been deployed on a machine Check Reg Key HKLM:\Software\Policies\Microsoft Services\AdmPwd – AdmPwdEnabled

or in Powershell : (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd").AdmPwdEnabled`

Nice video from CQURE : https://www.youtube.com/watch?v=WD2cBKRvERc

0