What is Mimikatz?
Mimikatz is a well known tool that can extract Windows plaintexts passwords, hashes, PIN code and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
Mimikatz runs on remote machines to extract credentials from lsass memory or Local Security Authority SubSystems. Lsass contains all the Security Service Providers (or SSP), which are the packets managing the different types of authentication. For practical reasons, the credentials entered by a user are very often saved in one of these SSPs so that the user doesn’t have to enter them again a few seconds or minutes later. If given the requisite permissions on the endpoint, users can be given access to LSASS and its data can be extracted for lateral movement and privilege escalation.
It is increasingly common to see LSASS memory dump files being sent over the network to attackers in order to extract credentials in a stealthier manner.
This is why Mimikatz extracts the information located in these different SSPs in an attempt to find some authentication secrets, and displays them to the attacker. Then this would allow someone to take over the whole XEOX Program and bring the Company to a halt.
Attacking with Mimikatz aims to retrieve the various password caches on a Windows machine. The attacker might try to use the net use to get SysInternals to bypass the policy of no SysInternals being installed on a machine. As a result the need for Mimikatz can be skipped by copying the dumps to an external computer that the attack controls. Still, the attacker needs administrative privileges on the target windows machine to access the memory and registry keys.
If you have Remote Desktop Protocol (RDP) or other GUI access to the device, you can use the Windows Task Manager to create a dump file. Windows Defender does not alert on this by default but this method does not scale well and is relatively slow.
Procdump is a Windows SysInternals tool that can be used to create memory dumps of processes. You have to copy the Procdump executable to the target machine, and some organizations alert the binary as being malicious, also this method is slow and doesn’t scale too well.
Crackmapexec is a tool to remotely perform a dump of LSASS. It scales really well, because you can simply point and shoot at a whole subnet or list of IP addresses with credentials that have local admin access.
Lsassy uses a combination of the above methods to remotely dump LSASS. The default command attempts to use the comsvcs.dll method to dump LSASS via WMI or a remote scheduled task.
Enabling WDigest On Newer Machines
While WDigest is disabled on newer machines, it is possible for attackers to enable it so plaintext credentials once a user logs in. WDigest can be enabled by setting the necessary registry key to 1 instead of 0.
Fortunatly Mimikatz has a few issues, that makes it easier to detect:
- Mimikatz is a tool exclusively developed for Windows
- depending on how it’s used, it can be very slow
- it can be detected by anti-virus software rather easy
Mitigate with XEOX
In order to take care of this problem, there is a special site in XEOX called Domain Services. It can be found in the Security Center. It allows you to see, all domain services the company has. In Group Report, which is also in Security Center, you can see which user works on which server. This makes it easier, to see if someone has access to something they should not and take care of this problem, before any damage is made.