memssp
misc::memssp
patches LSASS by injecting a new Security Support Provider (a DLL is registered). Then the credentials of all the users authenticating after the injection will be logged. It can also be utilised when Credential Guard is configured.
This command requires elevated privileges (by previously running privilege::debug
or by executing Mimikatz as the NT-AUTHORITY\SYSTEM
account).
If operating from a non-GUI session, then the following command can be used to lock the screen (the misc::lock
can also be used):
When a user authenticates again, the credentials will be saved to C:\Windows\System32\mimilsa.log
.
After rebooting the system, the SSP injection will be cleared.
Last updated