Jumpstyle
Search Guru
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Hi nulled Community,
I recently encountered a problem I was unable to solve. I mainly focus on Linux and kubernetes systems so I only know windows "basics" and mostly google known exploits paths.
I'm conducting an internal pentest at a company and got administrative access on a domain joined (patched) windows 10 virtual machine with windows defender (I think enforced by GPOs). I realized that domain admins have been using this machine and therefore thought about dumping LSASS to get domain admin with pth. I have done this before on older systems and didn't have big trouble until today.
Now comes the problem. The LSASS protection seems to have improved over the last few years and I was struggling hard to get a memory dump until I finally gave up. As sayed I am administratior on the machine and can impersonate nt/system. I can add exceptions to defender so I am able to run malicious code. However, running mimikatz did not dump the LSASS. I got local SAM hashes and DCCs but cracking DCCs is a pain if they use secure passwords. I tried removing LSA protection using mimikatz - didn't work. I did some googling and found tools like PPLKiller and PPLdump - no success. Procdump didn't work either and task manager dump as well. Always access denied and defender says malicious action was detected.
I tried stopping defender service using SC stop command, no success.
Can anybody recommend different approaches? It's a win 10 with latest 20H2 patch. I would risk a restart (if necessary) and wait for another domain admin to login again if that highers my chances.
Regards in advance
I recently encountered a problem I was unable to solve. I mainly focus on Linux and kubernetes systems so I only know windows "basics" and mostly google known exploits paths.
I'm conducting an internal pentest at a company and got administrative access on a domain joined (patched) windows 10 virtual machine with windows defender (I think enforced by GPOs). I realized that domain admins have been using this machine and therefore thought about dumping LSASS to get domain admin with pth. I have done this before on older systems and didn't have big trouble until today.
Now comes the problem. The LSASS protection seems to have improved over the last few years and I was struggling hard to get a memory dump until I finally gave up. As sayed I am administratior on the machine and can impersonate nt/system. I can add exceptions to defender so I am able to run malicious code. However, running mimikatz did not dump the LSASS. I got local SAM hashes and DCCs but cracking DCCs is a pain if they use secure passwords. I tried removing LSA protection using mimikatz - didn't work. I did some googling and found tools like PPLKiller and PPLdump - no success. Procdump didn't work either and task manager dump as well. Always access denied and defender says malicious action was detected.
I tried stopping defender service using SC stop command, no success.
Can anybody recommend different approaches? It's a win 10 with latest 20H2 patch. I would risk a restart (if necessary) and wait for another domain admin to login again if that highers my chances.
Regards in advance