Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
The following Atomic adds a registry entry to disable LSA Protection.
The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data. Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/ https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
Supported Platforms: windows
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1 2 reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
1 2 reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1