Open Papotito123 opened 4 years ago
Hello: Win 10 20H1 x64 local user.
I ran regedit as TrustedInstaller and as SYSTEM user but in HKLM\SECURITY\Policy\Secrets you can only have DPAPI_SYSTEM with subkeys of:CupdTime,CurrVal,OldVal,OutputTime,SecDesc No others. Also there's no L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x found in registry.
Still only tool to see LSA Secrest for Win 20H1 is SecurityQuestionsView from nirsoft.
But when talking about a MicrosoftAccount user ,I have not found a tool that can read this user LSA secrets .
Thanks
Hello: For the benefit of you and some other tools devs,for which I have some contact,I reinstalled Windows 10 2004H1.
Windows 10 2004H1 (OS Build 19041.685) fresh installation for local user account and Defender turned OFF.
LSA Secrets are not still retrieved.
Any info much appreciated.
Hello: When I run mimikatz in Win 10 2004 x64 the LSA secrets are not retrieved(also in other tools). This works good in Win 10 1809 x64.
.#####. mimikatz 2.2.0 (x64) #19041 Aug 16 2020 10:26:39 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
/ \ ## /*** Benjamin DELPY
gentilkiwi
( benjamin@gentilkiwi.com )\ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # version
mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 19041 (arch x64) msvc 150030729 207
mimikatz # privilege::debug Privilege '20' OK
mimikatz # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM
84 {0;000003e7} 1 D 67669 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary -> Impersonated !
mimikatz # lsadump::secrets Domain : DESKTOP-RA99DA6 SysKey : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Local name : DESKTOP-RA99DA6 ( S-1-5-21-1615885338-2756042382-2413003415 ) Domain name : WORKGROUP
Policy subsystem is : 1.18 LSA Key(s) : 1, default {2572ce28-669a-2040-a310-e6723d2ed016} [00] {2572ce28-669a-2040-a310-e6723d2ed016} b80b05526a636216668db5546d5a132be6333b1b19dcf99920ef0c152774bda2
Secret : DPAPI_SYSTEM cur/hex : 01 00 00 00 10 b2 f8 60 bf 72 e1 e4 20 2d 3d b9 0e 92 fc 8f 38 c4 9c 16 2e 24 b4 41 df 79 1f 40 1f ca 8a 88 b7 25 a1 27 ce f4 f1 38 full: 10b2f860bf72e1e4202d3db90e92fc8f38c49c162e24b441df791f401fca8a88b725a127cef4f138 m/u : 10b2f860bf72e1e4202d3db90e92fc8f38c49c16 / 2e24b441df791f401fca8a88b725a127cef4f138 old/hex : 01 00 00 00 46 dd df 87 be 6d 13 39 b6 fb 2d 97 81 04 ec fa d4 1a c6 fe e6 24 67 cb d6 94 6f 90 99 c5 5d 2c c5 3d 5b 3e fa 28 a1 c0 full: 46dddf87be6d1339b6fb2d978104ecfad41ac6fee62467cbd6946f9099c55d2cc53d5b3efa28a1c0 m/u : 46dddf87be6d1339b6fb2d978104ecfad41ac6fe / e62467cbd6946f9099c55d2cc53d5b3efa28a1c0
mimikatz #
Thanks.