Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “Pass The Hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in 2011. A decade later, Mimikatz is still a fantastic utility for adversaries to gain lateral mobility within an organization. In 2020, Red Canary observed various actors using Mimikatz during intrusions, including deployment alongside cryptominers such as Blue Mockingbird or ransomware such as Nefilim, Sodinokibi, and Netwalker.
Interestingly, in the case of Blue Mockingbird, Red Canary observed signs of the adversary using evasion tactics that may throw off Mimikatz detection. In one incident, we observed the Mimikatz binary being written to disk as
mx.exe in the
C:\PerfLogs\ directory. Renaming the Mimikatz binary may thwart rudimentary signatures looking for the filename
The directory Mimikatz was written into,
C:\PerfLogs\, is also of interest—this directory has been seen in use by other adversaries such as Ryuk.
C:\PerfLogs\ is a directory utilized legitimately by Windows Performance Monitor, which by default requires administrative rights to write to. Generally speaking, an adversary is already assumed to have elevated privileges if they are using Mimikatz to its fullest extent. While we don’t presume to have a clear answer on why adversaries choose that directory for staging, its use presents an opportunity for detection by monitoring for the execution of suspicious binaries from unusual directories. Many defenders are familiar with monitoring for unusual activity coming from
C:\Windows\Temp, and based on what we observed from Blue Mockingbird,
C:\PerfLogs\ may be another interesting directory to watch out for.
While we observed some malicious use of Mimikatz by adversaries, the majority of detections were the result of some kind of testing—including adversary simulation frameworks (such as Atomic Red Team) or red teams running tests, as confirmed by customer feedback. Though Mimikatz offers multiple modules, there was not much variety in the modules tested. The
sekurlsa::logonpasswords module was the most utilized in 2020, providing extraction of usernames and passwords for user accounts that have recently been active on the endpoint. In comparison, we did not observe the latest module released in Q3 2020
lsadump::zerologon—which tests ZeroLogon vulnerability CVE-2020-1472—in any of our 2020 detections. This finding suggests that testers should consider expanding the Mimikatz functionality they test for. Using Mimikatz to test detection coverage for a range of behaviors can help ensure you’re also covered for other threats that use those same techniques.