sekurlsa::logonpasswords shows hashed password

[hensys1]

Hey, I was wondering why, when you privilege::debug and sekurlsa::logonpasswords, the password doesn't come in plaintext but instead;

You can see here the password comes not in plaintext, but hashed (blue underlining) The plaintext used to come under WDigest and I operate on a Dell with Windows Defender as an AV. I also have the Registry Key (UseLogonCredential) with the right settings in the right place, rechecked many times, still nothing works. TBAL{68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9}

[Papotito123]

Hello: As I read ,this TBAL is a logon token used as authorization for sign-in and iit shows this TBAL instead of real plain-text.Maybe Defender is running something in background even if you disable it.If you are running too much times tools that could trigger Defender,it will get into panic. Try restarting computer.Wait a few minutes and disable Defender.Then try mimikatz. I asked about this and I can't find a way to deal with this TBAL.As far as wdigest is grabbing TBAL as password,you are doing right but simply OS is substituting your plain-text with a generic token.

[hensys1]

Alright, so what you want me to do is:

• Shutdown my computer for a couple of hours
• Have Windows Defender disabled
• Retry Also, how should I disable DEFENDER? Do I just disable real time protection or disable it from the group policy. And should I also substitue Defender for another AV? (Like Avast) I don't follow you when you say too much times tools.

Also, if there's any other way to fix this. Please let me know.

[Papotito123]

Hello: TBAL is a sign-token.So if is grab as wdigest then memssp is working. I never said hours.Just Restart computer and let fully boot and enter to OS Also if you want ,grab a tool that completely disable Defender.Then run memssp. I have Avast installed.So I disabled it for some minutes to run mimikatz.But... That's is not 100% guarantee that TBAL can shows.Even if you disable Defender Real-time or even you have a third-party AV(that will put Defender in some snooze mode but not totally disabled),there's a chance to grab TBAL. Believe me,I having this issue for more than 1 yr.Sometimes grab my plain-text password and others grab TBAL. I asked mimi dev more than 1 time about this.Just say can be lsass .exe is protected,or some AV background process,or any Defender module is doing its job. Defender is much more than Real-Time protection and big trouble when running alone.

[gentilkiwi]

Maybe take a look at: https://twitter.com/gentilkiwi/status/1030228689416540161 (you can also dump current secrets, no need to get the hives)

[JStanula]

I've found a solution!!!!!!!!!!! I've testes it on latest windows 10 version 20H2_v2. I also had a problem with TBAL showing instead of text password, so I started my research and found that TBAL is connected with ARSO (Automatic Restart Sign On). After typing ARSO the first link lead me to Microsoft description about it as well as how to disable it. I've tried and it worked!!!!!!!!! https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-

In short version; you need to change regisrty value from 0 to 1 , or add it if there isn't one.

Policy registry location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Value name: DisableAutomaticRestartSignOn Type: DWORD Data: 0 (Enable ARSO) 1 (Disable ARSO)

[Papotito123]

Hello: I read about this some time before. Also this TBAL token(Trusted Boot Auto-Logon) is written after a Restart or Shutdown.But not while the system is in Hibernation or when user sign-out. And anyways,"real NTLM/SHA1 user password hashes" can be retrieved despite the TBAL is "retrieved" as user password. Cool. But you have to create and modify widgest and DisableAutomaticRestartSignOn keys.And wait(or oblige) a user to re-login. This nplogonnotify,runasppl and DisableAutomaticRestartSignOn tricks go straight to mod reg keys and a victim re-login to "catch" plain-text user password.Even memssp trick needs a re-log to works.

Thanks.