Hidden aspects of mimikatz and
infrastructure protection by Sysmon+Splunk
In 2011 Benjamin Delpy released his side project that most recently became a key component of some ransomware worms that spread across Europe. Mimikatz became a ubiquitous tool in all manner of hacker penetrations, allowing intruders to quickly leapfrog from one connected machine on a network to the next as soon as they gain an initial foothold.
As we see,
What you need to know
Mimikatz is a console tool that has lots of modules. The full list of modules you can see here. I am going to highlight only the main three :
- Privilege – This module provides some commands to manipulate privilege on mimikatz process.
- Sekurlsa – This module extracts passwords, keys, pin codes, tickets from the memory of lsass. Also, this module can perform the well-known operation ‘Pass-The-Hash’ to run a process under other credentials with NTLM hash of the user’s password, instead of its real password.
Kerberos – This module can be used without any privilege. It permits to play with official Microsoft Kerberos API – and to create offline ‘Golden tickets’, free, long duration TGT tickets for any users.
Why do you need to be scared?
In a nutshell, with
It can make an impression that
As you can see, there are lots of reasons to detect mimikatz. The main question here is “How to do this?”. At the beginning of my way I tried to find some guides, articles, tutorials, etc. that would explain to me how to detect it. Most of them recommended only to monitor the access to lsass.exe with access mask 0x1010 and it’s very easy with Sysmon (EventID 10). But this way, we only see a usage of sekurlsa module.
With this option, I couldn’t see the start process and usage of any other module. This made me sad, that is why I decided to try harder to detect any command of any module. I made my own target configuration of
After all the tests I have noticed that each command has a unique call trace that allowed me to detect any single command. Following this way, I got call traces for 34 commands from 8 modules. Then I could exactly detect which command had been run. But this dream couldn’t become true: this technique has some problems.
First of all, each version of
Next step was to test PowerShell versions of
Some technical information
For this research, I have used Sysmon+Splunk. I tested
Possible sources and examples of suspicious logs:
How to feel secure
First of all stick to the principle of the least privilege. This means that Active Directory administrators have only the minimum required permissions to perform their tasks. Administrator by default can get debug privilege, but usually, he doesn’t need it. You just need to create a new group that has debug privilege and takes it away from administrators group. This way
The second recommendation – if you don’t use any special password filters, smart-cards or special protocols you need to change the value RunAsPPL of HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa on 1. After this Lsass.exe will work in secure mode and any process without Microsoft certificate will not have access rights to LSA process.
And the last one, to protect against attacks related to Kerberos you should use Flexible Authentication Secure Tunneling (FAST) that is part of the framework for Kerberos Pre-authentication. FAST provides a protected channel between the client and the Key Distribution Center (KDC), and it can optionally deliver key material used to strengthen the reply key within the protected channel. With FAST in place, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.
With FAST enabled and required, brute forcing the reply key is no longer possible and the highest possible cryptographic protocols and cipher strengths are guaranteed to be used by Windows clients in their pre-authentication traffic with Windows Server Domain Controllers.
In this article, we explain mimikatz as a dangerous tool hackers use to steal the credentials and get into your system. Also, it may be used as a part of the virus code that will, later on, be spread all over the environment. Recently Mimikatz has become a very popular means of penetration to hack the infrastructure and take your money and sensitive data. It allows the intruders to quickly leapfrog from one connected machine on a network to the next once they receive an opening foothold. Our security engineers have prepared some pieces of advice on how to hunt the mimikatz using Sysmon and some SIEM, especially Splunk. They will help you prevent new attacks in the future. So, now you can feel secure because you are under defense.
Get the Help You Need
Cybersecurity is our core expertise. Let’s get in touch and you will learn more about how UnderDefense can benefit your organization
UnderDefense and Accedian Partner to Deliver Cyber Resiliency SuitePress Release: January 19, 2021 UnderDefense and Accedian announced the launch of a partnership product to provide businesses with a suite of cyber security services. The main aim of our team is to...
Risk-based cyber resiliency Customer view: Guest blog by Michael Rezek, VP, Cybersecurity Strategy at AccedianIt’s may be possible to spend less on cybersecurity and get more protectionWhat we have witnessed over the last couple of decades as the traditional approach...
Detecting reconnaissance activity in your networkBy Bogdan VennykOne of the main services we provide at UnderDefense is 24x7 Monitoring with our Security Operation Center (SOC) and a critical part of great SOC is ..., RIGHT! - its detection capabilities. That is why...