Detected by Defender
Closed this issue · 7 comments
Hi,
This tool looks good. However, when executing .\giuda.exe -gettgs -luid:0x[LUID] -msdsspn:http/dc1
, Defender detects this. If Enter-PSSession -ComputerName dc1
is attempted afterwards this results in the error "Processing data from remote server dc1 failed with the following error message: WinRM cannot process the request. The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon session does not exist. It may already have been terminated".
Did you download the latest? Post a screenshot. Thx
I downloaded the binary yesterday, my time of course. That seem to be the latest release.
My test scenario is as follows. I have local admin access to server1 on which domainadmin1 is logged on. On server3, which typically would be a client's workstation/laptop or my own Windows VM in the real world, I execute runas and authenticate using the local admin credentials on server1. In the new shell I first copy giuda.exe to server1 then I execute psexec with the "-s" parameter in order to get a shell as SYSTEM on server1. In the SYSTEM shell I then use Giuda as instructed until Defender aborts it. My guess is that when Giuda attempts to pass the TGS into memory on server1 that triggers Defender. Defender logs this as "Behavior:Win32/Mimikatz.O" which seems to fit in with the PTT.
Even if I disable Defender on server1, which I can do as local admin, using winrs fails. Note that I first check that WinRM is setup properly on dc1.adlab.local. If I execute winrs directly on server1 logged in as domainadmin1 it works. I get a shell on dc1.adlab.local.
Are you sure that you can use winrm with HOST spn?
BTW use the latest release