With traps, there is the possibility to do Password Theft Protection against mimikatz.
I’ve tested (on version 6.0.1.7362 ) and indeed, a dump of a lsass process can no longer be inspected by Mimikatz.
Unfortunatly for clients, a good red team would use pypykatz tools, and it can dump the creds no problem.
Note (10 March 2020). New version of traps 7.0.1 has now corrected the issue and blocks also pypykatz analysis.
Another note (Nov 2020 ). After some research by @Skelsec, he found that “The initial pointer which would show us where the linked list holding all user sessions has been destroyed.“
And he implemented a way to brute force to find the data structure.
Read and applaud his full article here : https://skelsec.medium.com/play-with-katz-get-scratched-6c2c350fadf2
If you want to recompile your pypykatz version with this ANTI-XDR mimikatz feature enabled.
You just need to uncomment the code in /lsadecryptor/packages/msv/decryptor.py
Here is the full git Patch to be applied written by 1mmort41
https://github.com/1mm0rt41PC/Builder/blob/main/pypykatz/BruteForcer.patch
Recent Comments