The below image represents an attempt to access the lsass.exe process and extract clear text passwords and run a skeleton key attack. As we can see this has not been successful since applying the registry key change mentioned in the mitigation section for LSA Protection.
We can check if the LSA Protection RunAsPPL key exists by querying the registry to confirm the LSA protection is in place.
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "RunAsPPL"
# Value 0x1 means LSA Protection is enabled
This can be bypassed by utilizing the mimidrv.sys driver file which is included as a separate file with mimikatz.
The mimidrv.sys driver file needs to exists in the same directory as mimikatz.exe.
The driver can be loaded by running the command !+ in Mimikatz. After doing so the following command can be execute to protect the mimikatz.exe process.
!processProtect /process:mimikatz.exe
The same command with the /remove flag can be used to strip the process protection from a process such as lsass.exe
!processprotect /process:lsass.exe /remove
From here we should be free to perform actions against LSASS and dump credentials from it.
