logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Enable LSA protections - Mimikatz

Status: Approved Submitted by on ‎07-19-2019 01:37 PM

Description: Looks to see if the lsass process is protected

What The Data Shows: It will show what machines do not have lsass protections in place. This can lead to reading or injecting lsass to read hashes. If the result is 1, it means LSA protections is enabled.  

SQL: 

SELECT name,type,
    CASE cnt
        WHEN 0 THEN "DISABLED"
        ELSE "ENABLED"
    END "LSM Protection",
    datetime(mtime,"unixepoch","localtime"AS last_registry_write
FROM (SELECT *,COUNT(*AS cnt
              FROM registry
              WHERE 
             path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\RunAsPPL');

 

3 Comments
jnelson
Carbon Black Employee
‎07-20-2019 11:58 AM
‎07-20-2019 11:58 AM
Status changed to: Under Review

@ksnihur this type of query will only return results if the LSA protections are in place, because otherwise the key does not exist. The lack of any results could confuse people. When you are creating queries like these I suggest using something similar to the following query as it will tell the user if the protections are enabled or not:

SELECT name,type,
    CASE cnt
        WHEN 0 THEN "DISABLED"
        ELSE "ENABLED"
    END "LSM Protection",
    datetime(mtime,"unixepoch","localtime") AS last_registry_write
FROM (SELECT *,COUNT(*) AS cnt
              FROM registry
              WHERE 
             path='HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\RunAsPPL');
ksnihur
Contributor II
‎07-23-2019 07:07 AM
‎07-23-2019 07:07 AM

Thanks @jnelson , change has been updated and I'll use this for a couple other I'm writing. 

jnelson
Carbon Black Employee
‎07-23-2019 08:15 AM
‎07-23-2019 08:15 AM
Status changed to: Approved
 
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.