threat
Mimikatz
Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords. As an open source project, Mimikatz continues to be actively developed.
Pairs with this song #3
OVERALL RANK
4.9%
CUSTOMERS AFFECTED
Threat Sounds
When Mimikatz is in the cradle, no set of credentials is safe.
Analysis
Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “pass the hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in 2011. Over a decade later, Mimikatz is still a helpful utility for adversaries to dump credentials and gain lateral movement within an organization. In 2023, a range of actors used Mimikatz during intrusions, from ransomware groups to red teamers.
While we observed some malicious use of Mimikatz by adversaries, the majority of detected activity was the result of some kind of testing—including adversary simulation frameworks (such as Atomic Red Team) or red teams running tests, as confirmed by customer feedback. We once again removed customer-reported testing from our top 10 trending threats for 2023 to help improve accuracy. With customer-reported testing removed, Mimikatz dropped from affecting 8.3 percent of customers to 4.9 percent of customers, clearly showing how commonly it is used in testing. However, some testing is not explicitly marked as such, and though Mimikatz is leveraged by adversaries, we assess its #3 ranking is likely still inflated due to unreported testing.
The most common unobfuscated Mimikatz execution method we observed in 2023 was via the Invoke-Mimikatz PowerShell module using the -dumpcreds parameter (as the name suggests, this module dumps credentials out of LSASS). Though Mimikatz itself offers multiple modules, there was not much variety in the modules Red Canary observed this past year. As it has been for the past several years, the sekurlsa::logonpasswords module was the most utilized in 2023. This module provides extraction of usernames and passwords for user accounts that have recently been active on the endpoint. The next two most commonly-observed modules were sekurlsa::tickets, which lists all available Kerberos tickets for all recently authenticated users, and lsadump::sam, which dumps the Security Account Managers (SAM) database of password hashes.
take action
Fortunately for defenders, the following detection opportunities are relatively straightforward and have helped detect high volumes of Mimikatz for multiple years.
Detection opportunities
Mimikatz module names
To identify execution of Mimikatz, look for processes in which module names are observed as command-line parameters. While Mimikatz offers several modules related to credential dumping, the sekurlsa::logonpasswords module is a boon for detection. To expand detection opportunities, you can detect additional module names from the Mimikatz repository. While it may not be comprehensive, this is a great starting point for building a list of command-line parameters to detect on. Additional modules can be found by keeping an eye on the commit history of the project or by following the maintainer on Twitter so you can be notified when new modules appear. As always with anything open source, this project can be forked and modified to evade this detection opportunity, so it is important to institute defense-in-depth practices within your organization and not rely on just one detection opportunity.
command_includes ('sekurlsa::logonpasswords' || 'lsadump::sam' || 'sekurlsa::tickets')Note: These are the three most common modules we observed in 2023. A full list can be found here.
Kerberos ticket files
Another notable feature is Mimikatz’s ability to steal or forge Kerberos tickets. Kerberos ticket files (.kirbi) are of interest to adversaries as they can contain sensitive data such as NTLM hashes that can be cracked offline. To perform these attacks, a unique file extension variable is defined within Mimikatz that designates the default extension as .kirbi. Building detection analytics around modification of files with this extension is another easy win as they can be a telltale sign that an adversary is in the midst of performing an attack. One such attack, popularly known as “Kerberoasting,” occurs when Kerberos tickets are extracted from memory and the password of an account is cracked, allowing the adversary to pivot within the environment via a newly hijacked account. This type of attack thwarts basic foundational security practices such as only delegating permissions to user accounts with the principle of least privilege.
It is important to note that while .kirbi files are utilized by Mimikatz, they are not exclusive to Mimikatz—multiple other hacking utilities interact with these files following the Kerberos Credential format as well. In addition to using .kirbi files as a detection opportunity, incident responders should also remember to sanitize them as soon as possible, whether their generation was a function of sanctioned testing or otherwise.
file_modification == '*.kirbi'*Note: The asterisk in the above pseudo-detection analytic signifies that we’re simply looking for a .kirbi file regardless of the filename prepended onto it.
Testing
Start testing your defenses against Mimikatz using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
Atomic Red Team includes some basic options for running Mimikatz among both the PowerShell and LSASS Memory techniques. For anyone testing with Mimikatz, consider using a variety of modules, not just the common ones like sekurlsa::logonpassword, to test a range of behaviors.
The following list is a good starting point:
DCSync
DCSync is a technique that issues a request to a Domain Controller to replicate data back to the requestor, which includes password hashes.
lsadump::dcsync /domain:contoso.local /user:adminisrtator@contoso.local
Kerberos encryption keys
This method will list Kerberos encryption keys.
sekurlsa::ekeys
SAM database
This method will decrypt and dump all local credentials from the SAM registry hive.
lsadump::sam
Domain cached credentials
This will load cached credentials from the registry when a system is domain-joined. Credentials will be cached in case the Domain Controller is unavailable to authenticate the user.
lsadump::cache
DPAPI keys
This will list the DPAPI master keys, which can then be used to decrypt credentials stored in browsers or the Windows Credential Vault.
sekurlsa::dpapi
Windows Credential Manager
Vault List will list the vaults on the system. Vault Cred will list the credentials within a vault.
vault::list
vault::cred
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.