Add ly4k's changes for detecting LSA Isolated Data

skelsec / pypykatz

Mimikatz implementation in pure Python

MIT License

2.77k stars 367 forks source link

Add ly4k's changes for detecting LSA Isolated Data #157

Closed rtpt-romankarwacik closed 2 weeks ago

rtpt-romankarwacik commented 1 month ago

This adds the changes from https://github.com/ly4k/Pypykatz for detecting LSA Isolated Data.

skelsec commented 1 month ago

Hello, thank you for the PR! Before I can merge it, I'd like to ask a few questions mainly on the testing/signature side:

have you tested this on all/multiple versions of windows?
did it pass on all of them?
would it be possible for you to give sample dumps so I can integrate those in the tests?
Thank you!

rtpt-romankarwacik commented 1 month ago

have you tested this on all/multiple versions of windows? did it pass on all of them?

I tested it against Win 10 19H1 18362 w/o Credential Guard, and Win 11 23H2 22631 with Credential Guard enabled . For those two it worked.

would it be possible for you to give sample dumps so I can integrate those in the tests?

I uploaded credential_guard_win11_23H2_22631.dmp to the Nextcloud containing the dump with credential guard enabled on Win 11 23H2 22631.

rtpt-romankarwacik commented 1 month ago

Small correction, I noticed a dump created by NativeDump does not contain msv1_0.dll, so it does not parse properly. Additionaly, in the minidump library the CSDVersionRva is not properly set and also crashes in https://github.com/skelsec/minidump/blob/main/minidump/streams/SystemInfoStream.py#L283, commenting the line out was the workaround I took. Not sure if this is something that should be handled by the library, or if NativeDump should include this info.

EDIT: See nativedump_credential_guard_win11_23H2_22631.dmp in the NextCloud folder.

skelsec commented 2 weeks ago

Sorry for the delay! I've tested it and it works! Thank you for your contribution!