Magic Quadrant™ for Privileged Access Management 2025: Netwrix Recognized for the Fourth Year in a Row. Download the report.

Contact usSupportCommunity
English Español Italiano Français Deutsch Português
Platform
Solutions

Data Security Posture Management

Discover and classify data in hybrid environments. Assess, prioritize, and mitigate risks to sensitive data.

Directory Management

Simplify and secure directory operations by cutting down on complexity, risk, and manual effort.

Endpoint Management

Secure endpoints and prevent data loss while keeping teams productive — no matter where they work.

Identity Management

Secure every identity, streamline every process, and stay ahead of compliance — without adding complexity.

Identity Threat Detection & Response

Stay ahead of identity-based threats — proactively remediate risks, block attacks, and ensure rapid recovery.

Privileged Access Management

Shrink your attack surface by killing standing privileges, locking down credentials, and monitoring privileged sessions.
Featured Products See all products
Netwrix AuditorNetwrix Access AnalyzerNetwrix PingCastleNetwrix Endpoint Protector

The Netwrix 1Secure™ Platform

Explore
Netwrix AI Environments we protect Integrations MSPs Active Directory Security Risks Compliance Pricing
Resource Center See All
BlogAttack CatalogComplianceCustomer StoriesCybersecurity FrameworksCybersecurity GlossaryEventsFreewareGuidesIdeas PortalNewsPodcastsPublicationsProduct AnnouncementsResearchWebinars
Asset not found

Featured Customer Story

DXC Technology Enables Customers to Achieve PCI DSS Compliance and Focus on Strategic Initiatives
Partners
Partner ProgramBecome a PartnerMSPsPartner LocatorWebinars
Asset not found

Featured Customer Story

AppRiver Enhances Control over Active Directory While Significantly Reducing Auditing Time
Asset not found

Featured Customer Story

MSP Helps Client Recover from Ransomware in 6 Hours
Why Netwrix
About UsLeadershipNetwrix AICustomer StoriesRecognitionNewsCareers
Asset not found

Featured Customer Story

Horizon Leisure Centres Accelerates Data Classification to Comply with GDPR and Saves £80,000 Annually
Asset not found

Featured Customer Story

Samsung R&D Institute Secures Data with Cross-Platform Use and Fast macOS Deployment Using Netwrix Endpoint Protector
Cybersecurity glossaryAttack catalog
Stealing Credentials with a Security Support Provider (SSP)

Stealing Credentials with a Security Support Provider (SSP)

Mimikatz provides attackers with several different ways to steal credentials from memory or extract them from Active Directory. One of the most interesting options is the MemSSP command. An adversary can use this command to register a malicious Security Support Provider (SSP) on a Windows member server or domain controller (DC) — and that SSP will log all passwords in clear text for any users who log on locally to that system.

Handpicked related content:

In this post, we will explore this attack and how attackers can use it to elevate their privileges.

SSP Attack Scenarios

A Security Support Provider is a dynamic-link library (DLL) involved in security-related operations, including authentication. Microsoft provides a number of SSPs, including packages for Kerberos and NTLM. Let’s look at some of the reasons an attacker might want to register a malicious SSP on a computer:

  • An attacker has compromised a member server as a local Administrator but has limited rights to move laterally throughout the domain.
  • An attacker has compromised a DC as a Domain Admin or Administrator but wants to elevate their privileges to Enterprise Admin to move laterally across domains.
  • An attacker has compromised a DC as a Domain Admin using a Pass-the-Hash attack but wants to leverage the clear text password of the admin to log into other applications, such as Outlook Web Access or a remote desktop connection.

In any of these scenarios, an SSP attack can be very effective.

Performing an SSP Attack

Performing an SSP attack is very simple. For this post, let’s focus on the attacks that target a domain controller. Let’s assume we have compromised a Domain Admin account and want to inject a malicious SSP into memory. All we need to do is issue the misc::memssp command in Mimikatz:

Image

Now the SSP is injected into memory. However, if the DC is rebooted, the SSP will be lost and must be injected again. This can be solved by registering a DLL as an SSP that is provided with Mimikatz.

Image

Once the SSP is registered, all users who log on to the DC, as well as all local services, will log their passwords to the c:WindowsSystem32mimilsa.log file. That file will contain the clear text passwords for all users who have logged on and service accounts running on the system:

Image

Protecting Against SSP Attacks

Detection

SSP attacks can be difficult to detect. To see whether any of your DCs have already been compromised, you can run the following PowerShell command to check each DC in the domain for the existence of the mimilsa.log file. Hopefully, the results come back empty.

Image

Prevention

Since SSP attacks on DCs require an attacker to have compromised the DC as a Domain Admin or Administrator, the best prevention is to keep those accounts from being compromised by strictly limiting membership in those groups, enforcing strong account governance and monitoring the activity of privileged accounts.

How Netwrix Can Help

Identify security issues in your AD environment and fix the gaps before bad actors exploit them using tools like Mimikatz with the Netwrix Active Directory security solution. It will enable you to:

  • Uncover security risks in Active Directory and prioritize your mitigation efforts.
  • Harden security configurations across your IT infrastructure.
  • Promptly detect and contain even advanced threats, such as DCSync and Golden Ticket attacks.
  • Respond to known threats instantly with automated response options.
  • Minimize business disruptions with fast Active Directory recovery.

Share on

View related cybersecurity attacks

Abusing Entra ID Application Permissions – How It Works and Defense Strategies

AdminSDHolder Modification – How It Works and Defense Strategies

AS-REP Roasting Attack - How It Works and Defense Strategies

Hafnium Attack - How It Works and Defense Strategies

DCSync Attacks Explained: Threat to Active Directory Security

Pass the Hash Attack

Understanding Golden Ticket Attacks

Group Managed Service Accounts Attack

DCShadow Attack – How It Works, Real-World Examples & Defense Strategies

ChatGPT Prompt Injection: Understanding Risks, Examples & Prevention

NTDS.dit Password Extraction Attack

Kerberoasting Attack – How It Works and Defense Strategies

Pass-the-Ticket Attack Explained: Risks, Examples & Defense Strategies

Password Spraying Attack

Plaintext Password Extraction Attack

Zerologon Vulnerability Explained: Risks, Exploits and Mitigation

Active Directory Ransomware Attacks

Unlocking Active Directory with the Skeleton Key Attack

Lateral Movement: What Is It, How It Works And Preventions

Man-in-the-Middle (MITM) Attacks: What They Are & How to Prevent Them

Silver Ticket Attack

4 Service Account Attacks and How to Protect Against Them

Why Is PowerShell So Popular for Attackers?

How to Prevent Malware Attacks from Impacting Your Business

Compromising SQL Server with PowerUpSQL

What Are Mousejacking Attacks, and How to Defend Against Them

What is Credential Stuffing?

Rainbow Table Attacks: How They Work and How to Defend Against Them

A Comprehensive Look into Password Attacks and How to Stop Them

LDAP Reconnaissance

Bypassing MFA with the Pass-the-Cookie Attack

Golden SAML Attack