AnsweredAssumed Answered

QID 90954 - Protection from mimikatz

Question asked by adamc on May 30, 2017
Latest reply on Jun 5, 2017 by Robert Dell'Immagine

QID - 90954 - Windows Update For Credentials Protection and Management (Microsoft Security Advisory 2871997)

 

Even with the patch (KB2871997) installed on the Windows system, it is still vulnerable to mimikatz or similar style credential stealing.  I do not know what Qualys detects on for showing vulnerable or not vulnerable, but I can tell you from experience that existence of the patch does not prevent the exploitation from occurring.  And an asset that by Qualys' detection logic shows as not vulnerable, is actually still vulnerable.  

 

Even Microsoft says so:  https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/

 

Even though KB2871997 is installed, it doesn’t mitigate WDigest’s storage of clear text passwords in LSASS memory — it gives you the ability to change this behavior. However, disabling this function could break applications that utilize WDigest. The update is available for Vista/Win7/Win8/Win8.1/2008/2008 R2/2012/2012 R2. All newer OS's have this function disabled by default. To completely remediate the vulnerability the update must be installed and set ‘UseLogonCredential’ value to 0 in “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest”

Outcomes