Mimikatz OpenProcess Modules

Details

module

OpenProcess caller function

destination process / destination service

ACCESS_MASK

ACCESS_MASK translated

comment

sekurlsa::*

kuhl_m_sekurlsa_acquireLSA()

lsass.exe

PROCESS_VM_READ | PROCESS_QUERY_INFORMATION

0x1410

for Windows Version < 5

sekurlsa::*

kuhl_m_sekurlsa_acquireLSA()

lsass.exe

PROCESS_VM_READ | PROCESS_QUERY_LIMITED_INFORMATION

0x1010

for Windows Version >= 6

lsadump::lsa /patch

kuhl_m_lsadump_lsa_getHandle()

SamSs

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

lsadump::lsa /inject

kuhl_m_lsadump_lsa_getHandle()

SamSs

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD

0x143a

lsadump::trust /patch

kuhl_m_lsadump_lsa_getHandle()

SamSs

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

minesweeper::infos

kuhl_m_minesweeper_infos()

minesweeper.exe

PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1418

misc:detours

kuhl_m_misc_detours_callback_process()

*

GENERIC_READ

omitted because of the very generic ACCESS_MASK

misc:memssp

kuhl_m_misc_memssp()

lsass.exe

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

process::suspend, process:stop, process:resume,process:imports, process:exports

kuhl_m_process_genericOperation()

omitted because of the very generic ACCESS_MASKs

vault::cred /patch

kuhl_m_vault_cred()

SamSs

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

token::list, token::elevate, token::run

querying all processes on the system

*

first 0x1400 then 0x40

all three commands result in a call to kull_m_token_getTokens() which first iterates over all processes and threads with OpenProcess(PROCESS_QUERY_INFORMATION (0x1400)) (kull_m_token_getTokens_process_callback()) and then again to get the tokens OpenProcess(PROCESS_DUP_HANDLE (0x40)) (in kull_m_handle_getHandlesOfType_callback()) to duplicate the Tokens. This results in many thousand (!) Events with ID 10 (!)

crypto::cng

kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_crypto_p_cng()

KeyIso

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

event::drop

kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_event_drop()

EventLog

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

** this event does not get logged! :O mimikatz seems to be fast enough to apply the patch before the event gets logged!**

misc::ncroutemon

kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_misc_ncroutemon()

dsNcService

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

ts::multirdp

kull_m_patch_genericProcessOrServiceFromBuild() via kuhl_m_ts_multirdp()

TermService

PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION

0x1438

References

  • https://blog.3or.de/hunting-mimikatz-with-sysmon-monitoring-openprocess.html