MouriNaruto
commented
3 years ago I am really appreciate with you because you let me know that. It's really helpful for me.
Many people have reported me they meet the issue and I found the failed step is getting SYSTEM token, and I make a solution and they found the issue solved. You can try this new behavior in https://github.com/M2Team/NSudo/releases/tag/9.0-Preview1.
NSudo will try to open the access token from lsass.exe for maximum privileges in the access token, and try to open the access token from winlogon.exe of current active session as fallback.
I will try to analyse the information you provided me and hope to improve the fallback solution of getting SYSTEM token.
Kenji Mouri
If LSA Protection is enabled according to Microsoft or you Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool and you reboot the PC you cannot elevate privileges when this setting is enabled unless the setting is removed, disable Secure Boot (If has been enabled) and erase NVRAM settings (only if setting on efi variables is not removed).
...Or bypass RunAsPPL protection with Mimikatz:
This happens when PsProtectedSignerWinTcb (only enable with Mimikatz) or PsProtectedSignerLsa-Light protection on Lsass.exe is enabled when RunAsPPL registry key is enabled, or this setting is stored on Efi variables in NVRAM (efi variables of this settings only SecureBoot is enabled):
However ExecTI works even any LSA Protection is enabled and no drivers... Maybe this info? (Credits for itm4n)
I find this temporary solution using this page (thanks itm4n for this info) which explains what is PPL and how it works, and how RunAsPPL is bypassed using an signed kernel driver of Mimikatz.
Hope this information helps to make Nsudo run in an secure system!