Scenario 1: Windows 10 with LSA Protection

First, I ran mimikatz without LSA Protection and validated that I was able to get credentials. I used the commonly used “sekurlsa::logonpasswords” mimikatz command to retrieve hashes and clear text passwords from lsass.

Next, I enabled LSA Protection by following the steps posted at: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection:

Using regedit, I navigated to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Then I set the value of the registry key to: “RunAsPPL”=dword:00000001

Added RunAsPPL with a dword of 1 to HKLM\SYSTEM\CurrentControlSet\Control\Lsa

rebooted

After reboot, I ran the same “sekurlsa::logonpasswords” mimikatz command and observed the output:

mimikatz sekurlsa::logonpasswords after enabling LSA Protection

The LSA Protection is preventing the mimikatz module above from working. I also tried the mimikatz modules below:

lsadump::secrets: Still worked and I was able to get syskey information to decrypt secrets from from the registry on disk

lsadump::sam: Still works, since it’s reading credentials from the SAM on disk

lsadump::lsa: Did not work:

returned for each local account

sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlmhash>: Did not work:

Lastly, I also tried the golden ticket and dcsync options with mimikatz and both successfully worked (note: I had already compromised the test environment domain and had domain admin level rights before this test):

kerberos::golden /user:<user> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt hash> /endin:<value> /renewmax:<value>: Successful

lsadump::dcsync /domain:<domain> /user:<user>: Successful

LSA Protection Bypass:

Mimikatz has the mimidrv.sys driver that can bypass LSA Protection. I downloaded the mimikatz_trunk zip file from Ben Delpy’s mimikatz github repo, and copied the whole folder over, which included mimikatz.exe, mimidrv.sys, and mimilib.dll. I ran mimikatz.exe, and started the mimidrv.sys driver, and used that to remove LSA Protection from the lsass.exe process:

In the same mimikatz session, I then ran sekurlsa::logonpasswords and then got clear text passwords and hashes, proving that the mimidrv.sys driver does effectively bypass and remove LSA Protection. This would be trivial for an attacker to do once they already have admin access to a system.

In summary, LSA Protection seems to offer some protections against “out-of-the-box” mimikatz. However, as noted above the mimikatz driver bypasses LSA Protection settings allowing mimikatz to to steal clear text credentials and hashes. Also mimikatz and other credential dumpers can still dump hashes of local accounts since those hashes are on disk as opposed to in LSASS, where LSA Protection helps. Additionally, if an attacker has access to an LSA Protection-enabled system, the attacker can resort to keystroke logging or social engineering in order to get credentials. I would still recommend LSA Protection, as this would make an attacker take additional steps to dump credentials, but it is not a 100% bulletproof solution to credential dumping.