You should enable audit mode before enabling this option otherwise could be quite messy as disabling this LSA is not straightforward... HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe AuditLevel=dword:00000008
-
-
-
In your experience what are the consequences? Apps that breaks because it requires to read directly from lsass?
- Još 2 druga odgovora
Novi razgovor -
-
-
How did you load the Mimikatz driver? From disk? Or did you do something else to get it loaded on the system? I haven't had luck trying to do this via memory only (e.g., Kiwi via Meterpreter)
-
In this case I ended up dropping to disk. I really hate to do that
- Još 3 druga odgovora
Novi razgovor -
-
-
They should also consider enabling Windows Credential Guard (WCG) / Device Guard, which isolates LSA as a virtualised service on the Hyper-V platform, making it impossible to dump creds even with the Mimikatz driver.
-
Absolutely agree
Kraj razgovora
Novi razgovor -
-
-
How does this work in conjuction with Credential Guard on domain joined systems? I guess this protects what remains in LSASS while LSAIso is where the domain credentials are stored that are also protected?
-
Not 100% sure, but I think it works as you pointed out.
Kraj razgovora
Novi razgovor -
-
-
We use smart cards, feels like those touch the lsass. And the article mentions Windows 8.1. Is Win10 supported?
-
It should be support, the protection works on Windows 10 at least.pic.twitter.com/b6lbGqZAZl
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
Mimikatz driver needed to bypass
Details