Contents

Mimikatz OpenProcess Modules

Contents

Mimikatz OpenProcess Modules#

Author#

dim0x69 - blog.3or.de

Details#

module	OpenProcess caller function	destination process / destination service	ACCESS_MASK	ACCESS_MASK translated	comment
sekurlsa::*	kuhl_m_sekurlsa_acquireLSA()	lsass.exe	PROCESS_VM_READ \| PROCESS_QUERY_INFORMATION	0x1410	for Windows Version < 5
sekurlsa::*	kuhl_m_sekurlsa_acquireLSA()	lsass.exe	PROCESS_VM_READ \| PROCESS_QUERY_LIMITED_INFORMATION	0x1010	for Windows Version >= 6
lsadump::lsa /patch	kuhl_m_lsadump_lsa_getHandle()	SamSs	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438
lsadump::lsa /inject	kuhl_m_lsadump_lsa_getHandle()	SamSs	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION \| PROCESS_CREATE_THREAD	0x143a
lsadump::trust /patch	kuhl_m_lsadump_lsa_getHandle()	SamSs	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438
minesweeper::infos	kuhl_m_minesweeper_infos()	minesweeper.exe	PROCESS_VM_READ \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1418
misc:detours	kuhl_m_misc_detours_callback_process()	*	GENERIC_READ		omitted because of the very generic ACCESS_MASK
misc:memssp	kuhl_m_misc_memssp()	lsass.exe	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438
process::suspend, process:stop, process:resume,process:imports, process:exports	kuhl_m_process_genericOperation()				omitted because of the very generic ACCESS_MASKs
vault::cred /patch	kuhl_m_vault_cred()	SamSs	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438
token::list, token::elevate, token::run	querying all processes on the system	*		first 0x1400 then 0x40	all three commands result in a call to kull_m_token_getTokens() which first iterates over all processes and threads with OpenProcess(PROCESS_QUERY_INFORMATION (0x1400)) (kull_m_token_getTokens_process_callback()) and then again to get the tokens OpenProcess(PROCESS_DUP_HANDLE (0x40)) (in kull_m_handle_getHandlesOfType_callback()) to duplicate the Tokens. This results in many thousand (!) Events with ID 10 (!)
crypto::cng	kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_crypto_p_cng()	KeyIso	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438
event::drop	kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_event_drop()	EventLog	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438	this event does not get logged! :O mimikatz seems to be fast enough to apply the patch before the event gets logged!
misc::ncroutemon	kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_misc_ncroutemon()	dsNcService	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438
ts::multirdp	kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_ts_multirdp()	TermService	PROCESS_VM_READ \| PROCESS_VM_WRITE \| PROCESS_VM_OPERATION \| PROCESS_QUERY_INFORMATION	0x1438

References#

https://blog.3or.de/hunting-mimikatz-with-sysmon-monitoring-openprocess.html