memssp
misc::memssp
patches LSASS by injecting a new Security Support Provider (a DLL is registered). Then the credentials of all the users authenticating after the injection will be logged. It can also be utilised when Credential Guard is configured.
mimikatz # misc::memssp
Injected =)
If operating from a non-GUI session, then the following command can be used to lock the screen (the misc::lock
can also be used):
rundll32.exe user32.dll,LockWorkStation
When a user authenticates again, the credentials will be saved to C:\Windows\System32\mimilsa.log
.
Last updated