0

I used to run Mimikatz in one of my computers. Then, I did something to block its action and I do not recall what it was. I am trying to revert it unsuccessfully.

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

792     {0;000003e7} 1 D 63431          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;00025b34} 1 F 4156027     COMP\U244        S-1-5-21-542114799-846785721-1465343628-1001    (14g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 4625769     NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

I know about RunAsPPL, but I have removed it:

reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA” /v RunAsPPL
ERROR: Invalid key name.

Maybe a HotFIX changed something, I am running:

OS Version:                10.0.19043 N/A Build 19043

What else could be breaking the necessary access?

user1156544
  • 456
  • 3
  • 14

1 Answers1

0

I've tried both Mimikatz latest and 2.1.1, both doesnt seem to work. Apparently, you need a cmd as NT AUTHORITY\SYSTEM via running cmd as Administrator then ".\PsExec64.exe -i -s cmd.exe", in the new spawned cmd, make sure a "whoami" returns NT AUTHORITY\SYSTEM.

NoPurposeInLife
  • 11
  • 2
  • `NT AUTHORITY\SYSTEM` and `administrator` are different things. And I already elevated, as you can see in my post – user1156544 May 14 '22 at 16:27
  • Hey, I meant, ensure that the cmd that runs Mimikatz is NT AUTHORITY\SYSTEM by running whoami before running mimikatz. – NoPurposeInLife May 15 '22 at 20:34
  • And what would it be difference from running as Administrator and elevate the token? – user1156544 May 16 '22 at 11:23
  • No idea, but can you give it a try, with NT AUTHORITY\SYSTEM - cmd instead of an Administrator cmd? – NoPurposeInLife May 16 '22 at 17:05
  • It worked in my case against a Windows Server 2016, when my cmd's whoami returns NT AUTHORITY\SYSTEM. – NoPurposeInLife May 17 '22 at 07:45
  • This is not the issue, I am `NT AUTHORITY\SYSTEM` as you can see – user1156544 May 18 '22 at 17:05
  • No. Get NT AUTHORITY\SYSTEM on CMD not via elevate. On the Windows 2016 Server on my end, even after elevating i faced the same error. But, when i ran ".\PsExec64.exe -i -s cmd.exe", and get a cmd which returns NT AUTHORITY\SYSTEM via whoami, the error does not occur anymore. Could you, give it a go and see instead of arguing again and again? – NoPurposeInLife May 19 '22 at 09:31
  • OK, but just because you insist: `C:\WINDOWS\system32>whoami` `nt authority\system` `C:\WINDOWS\system32>...\x64\mimikatz.exe` ... `mimikatz # privilege::debug` `Privilege '20' OK` `mimikatz # sekurlsa::logonpasswords` `ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)` – user1156544 May 19 '22 at 16:05