Sunday, October 1, 2023
Latest:

Cyberwarzone

Your Cyber Knowledge Base

Mimikatz banner 2023
Tools

Inside Mimikatz: The Go-To Tool for Cyber Attackers Explained

Reza Rafati

Since its debut in 2011, Mimikatz, designed by French security researcher Benjamin Delpy, has caused sleepless nights for many in the cybersecurity field. Originally created to showcase Windows security vulnerabilities, this potent tool has found a home within the arsenal of cybercriminals, making it one of the most powerful intrusion weapons.

Download Mimikatz from Github.com

What is Mimikatz?

Mimikatz is an open-source utility used to gather credential data from Windows systems. Despite its initial role as a demonstration tool, the darker corners of the cyber world have harnessed Mimikatz’s capabilities, transforming it into a notorious tool for bypassing system security and accessing confidential information.

MIMIKATZ projects on Github
MIMIKATZ projects on Github

Under the Hood: How Does Mimikatz Work?

The real strength of Mimikatz lies in its ability to “dump” credentials from the system. This allows it to access confidential information such as usernames, passwords, and pin codes, especially when these are stored without adequate security measures.

Mimikatz version from 2014
Mimikatz version from 2014

Access Token Manipulation

Mimikatz is renowned for its ability to manipulate Security Identifiers (SIDs) via the MISC::AddSid module. This feature allows unauthorized privilege escalation and access control bypass by appending any SID or user/group account to a user’s SID-History.

Account Manipulation

Through its LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules, Mimikatz is capable of changing the password hash of an account without knowledge of the clear text value. This capability provides a pathway for the attacker to impersonate any user.

Credential Dumping

Mimikatz’s most notorious feature is credential dumping. It thrives on acquiring account and password information from various sources, such as the Windows Credential Manager, Local Security Authority (LSA), and the Security Account Manager (SAM). Furthermore, it uses DCSync for domain replication, a feature designed for Domain Controllers (DCs).

DCSync Attack

The DCSync attack allows threat actors to masquerade as a domain controller (DC), a critical server in Windows network infrastructure. This impersonation is more than skin deep, allowing the adversary to mimic the complex domain replication process, the cornerstone of DC functionality.

So, why does a threat actor want to play the role of a domain controller? The answer lies in the treasure trove of password data that DCs hold. By exploiting the replication process, DCSync attackers can retrieve this sensitive data right from the DC’s digital vault.

But the DCSync attack isn’t an end in itself—it’s a means to a more insidious end. Typically, this attack serves as the precursor to a “Golden Ticket” attack. Why? Because DCSync allows the attacker to retrieve a very specific and powerful piece of data: the KRBTGT hash.

In essence, the KRBTGT hash is the proverbial “master key” to the kingdom, providing unrestricted access to all resources in a network. Once an attacker has this in their possession, they can create a Golden Ticket, an all-access pass to the network, making them virtually unstoppable.

What can the Mimikatz tool do?
What can the Mimikatz tool do?

Stealing or Forging Kerberos Tickets

Mimikatz also targets the Kerberos protocol, a network authentication standard used by Windows. It can create ‘Golden Tickets’ and ‘Silver Tickets’, offering cybercriminals unlimited access to network resources.

How Cybercriminals Use Mimikatz

Mimikatz has become a standard part of a cybercriminal’s toolkit. Its ability to steal and manipulate credentials makes it a valuable tool for lateral movement within a network, bypassing security measures, and achieving persistent access. Its use ranges from simple cybercrime incidents to more advanced persistent threats (APTs) conducted by state-sponsored groups.

APT Groups which used Mimikatz

Sandworm TeamDarkHydrusAPT29
APT33LeafminerOilRig
CleaverCarbanakKimsuky
Wizard SpiderAPT41APT28
FIN7ChimeraDragonfly
Earth LuscaCobalt GroupBRONZE BUTLER
LAPSUS$HEXANEPittyTiger
Threat Group-3390menuPassBackdoorDiplomacy
Tonto TeamBlue MockingbirdFIN6
Magic HoundTurlaAPT38
MuddyWaterAPT32GALLIUM
WhiteflyThripIndrik Spider
TA505TEMP.VelesKe3chang
APT39APT1
APT groups which used Mimikatz

The Variants of Mimikatz

While the original Mimikatz tool remains a potent threat, various modified versions have appeared over the years. One example is 'Invoke-Mimikatz', a PowerShell version of the tool. Other groups, like Threat Group-3390, have used a modified version called ‘Wrapikatz‘.

You might be interested in reading the Mimikatz documentation.

Mimikatz: A Valuable Asset in a Penetration Tester’s Toolkit

When it comes to securing a network, it’s important to think like a hacker. Penetration testers, or “ethical hackers,” understand this principle better than anyone. To identify vulnerabilities within a system before malicious attackers do, these professionals often turn to tools like Mimikatz.

While it’s commonly associated with cyber-attacks, Mimikatz’s original purpose was to uncover and demonstrate Windows security weaknesses. In the hands of penetration testers, it becomes a powerful instrument to evaluate an organization’s security posture. This software allows ethical hackers to test for various vulnerabilities and weaknesses in their client’s systems, in particular, issues related to credential storage and access control.

Windows Red Team Training with Mimikatz and Windows Credentials Editor (WCE)

Defending Against Mimikatz

There are several other general strategies that you can follow to protect against Mimikatz:

  1. Update Your Systems Regularly: Microsoft has made several changes to Windows to limit Mimikatz’s effectiveness. Keeping your systems updated can take advantage of these changes.
  2. Least Privilege Access: Mimikatz requires high-level privileges to operate effectively. Limiting user account permissions whenever possible can help to protect your systems. Only users who need administrator privileges should have them.
  3. Disable WDigest: WDigest is a legacy authentication protocol, and it’s one of the things Mimikatz targets. Disabling it where possible can help to reduce the attack surface.
  4. Enable Credential Guard: Windows introduced a feature called Credential Guard that can help to protect against Mimikatz. It uses virtualization-based security to isolate and protect secrets.
  5. Monitor for Suspicious Behavior: Mimikatz leaves behind several signs of its activity that you can monitor for, including suspicious process creation events and network traffic.
  6. Network Segmentation: By creating zones in your network and applying security controls at each segment, you can limit an attacker’s ability to move laterally through your network.
  7. Use Multi-Factor Authentication (MFA): Even if an attacker manages to steal a set of credentials, MFA can prevent them from being used to access sensitive systems.
  8. Endpoint Detection and Response (EDR): Use an EDR solution that can detect and respond to Mimikatz and similar threats in real time.
  9. Regularly Change and Securely Store Credentials: Changing passwords and other credentials regularly can help prevent long-term unauthorized access. Ensure the credentials are securely stored.
  10. Educate Your Staff: Users should be educated about the dangers of phishing emails and other techniques that attackers use to install tools like Mimikatz.

For the Threat Hunters

Windows Event Logs can be a valuable source of information when investigating potential Mimikatz usage. Below are several Windows Event IDs that might show signals of Mimikatz usage:

  1. Event ID 4624: This event is generated when a logon session is created (i.e., a user logs in). Mimikatz usage often involves unexpected or unusual logins, especially with high-level privileges.
  2. Event ID 4648: This event is generated when a logon is attempted using explicit credentials, which may be captured in a Pass-the-Hash or Pass-the-Ticket attack.
  3. Event ID 4672: This event is generated when a user logs on with superuser (or admin equivalent) privileges. Since many Mimikatz functions require high-level privileges, multiple or unexpected instances of this event could be a signal of Mimikatz usage.
  4. Event ID 4768: This event is logged when a Kerberos Ticket Granting Ticket (TGT) is requested. Abnormal or unexpected requests can be a sign of Golden Ticket attacks.
  5. Event ID 4769: This event is logged when a Kerberos service ticket is requested. Like Event ID 4768, abnormal or unexpected requests can indicate a Silver Ticket attack.
  6. Event ID 4776: This event is logged when a domain controller validates the credentials of an account. Multiple or unexpected instances of this event could be a sign of credential dumping.

Done reading? Maybe there are some other tools you like.

Share

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

Top 25 Open Source Cyber Security Tools

Top 25 Open Source Cyber Security Tools

Reza Rafati
IRIS incident response tool

IRIS: Your Open-Source Ally in Incident Response

Reza Rafati
OSINT tool CrossLinked

CrossLinked: An Effective OSINT Tool for Pentesters

Reza Rafati