M2TeamArchived / NSudo

[Deprecated, work in progress alternative: https://github.com/M2Team/NanaRun] Series of System Administration Tools
https://nsudo.m2team.org/
Other
1.94k stars 222 forks source link

NSudo fails to execute any program when LSA Protection (RunAsPPL) in Lsass (Local Security Authority Process) is enabled #79

Closed md500 closed 2 years ago

md500 commented 3 years ago

If LSA Protection is enabled according to Microsoft or you Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool and you reboot the PC you cannot elevate privileges when this setting is enabled unless the setting is removed, disable Secure Boot (If has been enabled) and erase NVRAM settings (only if setting on efi variables is not removed).

...Or bypass RunAsPPL protection with Mimikatz:

NSUDO WORKS IF PsProtectedSignerLsa-Light or PsProtectedSignerWinTcb is DISABLED Nsudo Works! log.txt

This happens when PsProtectedSignerWinTcb (only enable with Mimikatz) or PsProtectedSignerLsa-Light protection on Lsass.exe is enabled when RunAsPPL registry key is enabled, or this setting is stored on Efi variables in NVRAM (efi variables of this settings only SecureBoot is enabled):

RunAsPPL LogErrorPPL.txt

Nsudo Fail! logError.txt

However ExecTI works even any LSA Protection is enabled and no drivers... Maybe this info? (Credits for itm4n)

ExecTI works even lsass exe is protected with PsProtectedSignerWinTcb and PsProtectedSignerLsa-Light but Nsudo gives an error if any protection is enabled

I find this temporary solution using this page (thanks itm4n for this info) which explains what is PPL and how it works, and how RunAsPPL is bypassed using an signed kernel driver of Mimikatz.

Hope this information helps to make Nsudo run in an secure system!

MouriNaruto commented 3 years ago

I am really appreciate with you because you let me know that. It's really helpful for me.

Many people have reported me they meet the issue and I found the failed step is getting SYSTEM token, and I make a solution and they found the issue solved. You can try this new behavior in https://github.com/M2Team/NSudo/releases/tag/9.0-Preview1.

NSudo will try to open the access token from lsass.exe for maximum privileges in the access token, and try to open the access token from winlogon.exe of current active session as fallback.

I will try to analyse the information you provided me and hope to improve the fallback solution of getting SYSTEM token.

Kenji Mouri

MouriNaruto commented 3 years ago

However ExecTI works even any LSA Protection is enabled and no drivers...

I have analysed ExecTI and found it only open the access token from winlogon.exe of current active session.

image

Kenji Mouri

MouriNaruto commented 2 years ago

Closed issue because NSudo 9.0 Preview 1 fixed that.