Complete list of Sneaky Active Directory Persistence Tricks posts <\/a><\/p>\n <\/p>\n The Security Support Provider Interface (SSPI) enables Windows authentication methods to be easily extended allowing new Security Support Providers (SSPs) to be added without additional coding.<\/p>\n Some of the standard Windows authentication SSPs<\/a>:<\/p>\n Mimikatz supports DLL\/registry (scenario 1) & in-memory updating of SSPs (scenario 2).<\/p>\n <\/p>\n Scenario 1:<\/strong> Copy mimilib.dll to the same location as LSASS (c:\\windows\\system32) & Update Security Packages registry key (HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\Security Packages\\) with the SSP DLL name.<\/p>\n Scenario 2:<\/strong> Use mimikatz to patch LSASS in memory with new SSP with no reboot required (rebooting clears the memssp Mimikatz injects).<\/p>\n Either of these scenarios enable adding a new SSP to a Windows system. The SSP included with mimikatz provides automatic logging of locally authenticated credentials. This includes the computer account password, running service credentials, and any accounts that logon.<\/p>\n This data is logged by default in the same location as the dll file to a log file, though it’s possible to log this data elsewhere on the system. The alternate log location could be in SYSVOL if the Windows system is a Domain Controller which provides access to Authenticated Users.<\/p>\n This is what a typical Group Policy template file might look like.<\/p>\n This is what a fake Group Policy template file might look like when as the Mimikatz SSP log file location.<\/p>\n\n
![\"SneakyPersistence-EnableMimiSSP-PowerShellScript-01\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-EnableMimiSSP-PowerShellScript-01.png\")
<\/a><\/p>\n![\"SneakyPersistence-EnableMimiSSP-MimilibDll-02\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-EnableMimiSSP-MimilibDll-02.png\")
<\/a><\/p>\n![\"SneakyPersistence-EnableMimiSSP-RegKey-01\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-EnableMimiSSP-RegKey-01.png\")
<\/a><\/p>\n![\"SneakyPersistence-EnableMimiSSP-MemSSP-01\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-EnableMimiSSP-MemSSP-01.png\")
<\/a><\/p>\n![\"SneakyPersistence-EnableMimiSSP-SaveToSYSVOL-02\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-EnableMimiSSP-SaveToSYSVOL-02.png\")
<\/a><\/p>\n
![\"SneakyPersistence-EnableMimiSSP-SaveToSYSVOL\"](\"https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/SneakyPersistence-EnableMimiSSP-SaveToSYSVOL.png\")
<\/a><\/p>\n