memssp

misc::memssp patches LSASS by injecting a new Security Support Provider (a DLL is registered). Then the credentials of all the users authenticating after the injection will be logged. It can also be utilised when Credential Guard is configured.

This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).

mimikatz # misc::memssp
Injected =)

If operating from a non-GUI session, then the following command can be used to lock the screen (the misc::lock can also be used):

rundll32.exe user32.dll,LockWorkStation

When a user authenticates again, the credentials will be saved to C:\Windows\System32\mimilsa.log.

After rebooting the system, the SSP injection will be cleared.

Last updated