threat

Mimikatz

Mimikatz is a credential-dumping utility commonly leveraged by adversaries, penetration testers, and red teams to extract passwords. As an open source project, Mimikatz continues to be actively developed, with several new features added in 2020.

Pairs with this song

#5

OVERALL RANK

6.2%

CUSTOMERS AFFECTED

Analysis

Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “Pass The Hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in 2011. A decade later, Mimikatz is still a fantastic utility for adversaries to gain lateral mobility within an organization. In 2020, Red Canary observed various actors using Mimikatz during intrusions, including deployment alongside cryptominers such as Blue Mockingbird or ransomware such as Nefilim, Sodinokibi, and Netwalker.

Evasion Tactics

Interestingly, in the case of Blue Mockingbird, Red Canary observed signs of the adversary using evasion tactics that may throw off Mimikatz detection. In one incident, we observed the Mimikatz binary being written to disk as mx.exe in the C:\PerfLogs\ directory. Renaming the Mimikatz binary may thwart rudimentary signatures looking for the filename mimikatz.exe.

The directory Mimikatz was written into, C:\PerfLogs\, is also of interest—this directory has been seen in use by other adversaries such as Ryuk. C:\PerfLogs\ is a directory utilized legitimately by Windows Performance Monitor, which by default requires administrative rights to write to. Generally speaking, an adversary is already assumed to have elevated privileges if they are using Mimikatz to its fullest extent. While we don’t presume to have a clear answer on why adversaries choose that directory for staging, its use presents an opportunity for detection by monitoring for the execution of suspicious binaries from unusual directories. Many defenders are familiar with monitoring for unusual activity coming from C:\Windows\Temp, and based on what we observed from Blue Mockingbird, C:\PerfLogs\ may be another interesting directory to watch out for.

While we observed some malicious use of Mimikatz by adversaries, the majority of detections were the result of some kind of testing—including adversary simulation frameworks (such as Atomic Red Team) or red teams running tests, as confirmed by customer feedback. Though Mimikatz offers multiple modules, there was not much variety in the modules tested. The sekurlsa::logonpasswords module was the most utilized in 2020, providing extraction of usernames and passwords for user accounts that have recently been active on the endpoint. In comparison, we did not observe the latest module released in Q3 2020 lsadump::zerologon—which tests ZeroLogon vulnerability CVE-2020-1472—in any of our 2020 detections. This finding suggests that testers should consider expanding the Mimikatz functionality they test for. Using Mimikatz to test detection coverage for a range of behaviors can help ensure you’re also covered for other threats that use those same techniques.

Detection opportunities

Detection opportunity 1

Mimikatz module command-line parameters
ATT&CK technique(s): T1003 OS Credential Dumping
ATT&CK tactic(s): Credential Access

Details: To identify execution of Mimikatz, look for processes in which module names are observed as command-line parameters. While Mimikatz offers several modules related to credential dumping, the sekurlsa::logonpasswords module is a boon for detection. To expand detection opportunities, you can detect additional module names from the Mimikatz repository. While it may not be comprehensive, this is a great starting point for building a list of command-line parameters to detect on. Additional modules can be found by keeping an eye on the commit history of the project or by following the maintainer on Twitter so you can be notified when new modules appear. As always with anything open source, this project can be forked and modified to evade this detection opportunity, so it is important to institute defense-in-depth practices within your organization and not rely on just one detection opportunity.

Detection opportunity 2

Kerberos ticket file modifications
ATT&CK technique(s): T1558 Steal or Forge Kerberos Tickets
ATT&CK tactic(s): Credential Access

Details: Another notable feature is Mimikatz’s ability to steal or forge Kerberos tickets. Kerberos ticket files (.kirbi) are of interest to adversaries as they can contain sensitive data such as NTLM hashes that can be cracked offline. To perform these attacks, a unique file extension variable is defined within Mimikatz that designates the default extension as .kirbi. Building detection analytics around modification of files with this extension is another easy win as they can be a telltale sign that an adversary is in the midst of performing an attack. One such attack, popularly known as “Kerberoasting,” occurs when Kerberos tickets are extracted from memory and the password of an account is cracked, allowing the adversary to pivot within the environment via a newly hijacked account. This type of attack thwarts basic foundational security practices such as only delegating permissions to user accounts with the principle of least privilege.

It is important to note that while .kirbi files are utilized by Mimikatz, they are not exclusive to Mimikatz—multiple other hacking utilities interact with these files following the Kerberos Credential format as well. In addition to using .kirbi files as a detection opportunity, incident responders should also remember to sanitize them as soon as possible, whether their generation was a function of sanctioned testing or otherwise.

Detection opportunity 3

Suspicious LSASS injection
ATT&CK technique(s): T1003 OS Credential Dumping
ATT&CK tactic(s): Credential Access

Details: Credential dumping is the name of the game for Mimikatz. To be successful, Mimikatz must interact with the Local Security Authority Subsystem Service (LSASS), which provides a great opportunity for detection. Mimikatz requires specific process access rights to initiate cross process injection via the Kernel32 OpenProcess function: PROCESS_VM_READ 0x0010 and PROCESS_QUERY_LIMITED_INFORMATION 0x1000. These permissions, collectively observed via the bitmask 0x1010, are relatively rare for lsass.exe under normal conditions.

While identifying processes that are initiating cross process injections may provide a foundation for detecting Mimikatz, this can be a bit noisy. A good way to filter things down may be to focus around the loading of other suspect libraries such as the SAM Library (samlib.dll) and the Credential Vault Client Library (vaultcli.dll). With this information you can identify instances of Mimikatz, as well as other credential theft tools, with a higher degree of confidence.

The below detection demonstrates Blue Mockingbird using Mimikatz (renamed as mx.exe) to perform credential dumping via LSASS injection.

Aaron Didier
INTELLIGENCE ANALYST
Aaron is an unconventional autodidact who got their start in information security as a "terminally curious" member of a network operations team at a small regional WISP, addressing abuse@ emails, digging into netflow, and responding to VoIP attacks. Prior to joining the flock at Red Canary, Aaron was a member of the Motorola Solutions SOC, where they contributed to the creation of a Security Onion-inspired RHEL IDS known as Red Onion. They also spent time briefly at Baker McKenzie administering CB Response and Protect while mapping to the ATT&CK Framework. In their off hours, you may catch Aaron digging just about anywhere, be it in the garden, in a book, in a 10-k report, capture the flag event, Twitter post, or documentary. Their fascination for the world knows no bounds and they love sharing everything they've learned with anyone willing to listen.
Aaron is an unconventional autodidact who got their start in information security as a "terminally curious" member of a network operations team at a small regional WISP, addressing abuse@ emails, digging into netflow, and responding to VoIP attacks. Prior to joining the flock at Red Canary, Aaron was a member of the Motorola Solutions SOC, where they contributed to the creation of a Security Onion-inspired RHEL IDS known as Red Onion. They also spent time briefly at Baker McKenzie administering CB Response and Protect while mapping to the ATT&CK Framework. In their off hours, you may catch Aaron digging just about anywhere, be it in the garden, in a book, in a 10-k report, capture the flag event, Twitter post, or documentary. Their fascination for the world knows no bounds and they love sharing everything they've learned with anyone willing to listen.