Her0in 2016/01/28 over

Original address: adsecurity.org/?page_id=18… Written by Sean Metcalf

“Please do not reproduce all or part of the content contained on this page without the express written consent of the author of this article.” So in order to share this excellent work, the translator got in touch with the author (Sean Metcalf) on Twitter, and after talking to him, he gave me permission to translate the full article and share it with others. Thanks also to Sean Metcalf for systematically organizing and sharing everything about Mimikatz. Below is a screenshot of Sean Metcalf’s reply for licensing purposes:

Mimikatz is one of the most powerful Intranet infiltrators of the moment, and it seems that few people really care about its full capabilities (Sean Metcalf also raised such doubts at the beginning of this article), and there is no mention of Mimikatz in articles like “Top 10 Hacking Tools.” Sean Metcalf has done a systematic review of the techniques associated with Mimikatz and has done a rough translation and share. Translation is unavoidably wrong, hope you see the officer timely correction. This article is the first part of the translation, which mainly describes the basic information of Mimikatz and the methods to detect the use of Mimikatz. The second part will include a large number of specific uses of commonly used or not commonly used Mimikatz commands.

0 x00 profile

It seems that most of the people on the Red & Blue Team are not familiar with most of Mimikatz’s features, so I collected all the available commands I could find and put them together in this article. I’ll update this post if I find some new useful commands in the future. This way, Red and Blue Team hackers can better understand all of Mimikatz’s capabilities, while also improving the security of the organizations they hire to protect.

After talking to many people, including hired hackers and networkers on both sides, I learned that most people do not know the full functionality of Mimikatz except for a few of the most commonly used commands. This article goes into as much detail as possible about each command, what it is, how it works, and the permissions, parameters (required and optional) required to run it, along with screenshots and additional content (if possible). However, there are a few things THAT I haven’t researched yet and look forward to delving into in the near future. I will continue to post articles on various aspects of using Mimikatz at ADSecurity.org, but I intend to keep this post updated and as comprehensive as possible.

The content of this article is intended to help enterprises better understand the capabilities of Mimikatz and cannot be used for illegal activities. Do not use Mimikatz on unapproved computers. In general, do not use Mimikatz for penetration test attacks. Do not reproduce all or part of the content contained on this page without the express written consent of the author.

I did not co-write Mimikatz, so I have no special insights. All the content for this article was obtained from working with Mimikatz, reading the Source code for Mimikatz, speaking with Benjamin, and consulting his blog and GitHub pages, as well as my own research.

Any mistakes in this article are my own. Please comment here.

Many thanks to Benjamin Delpy for writing and constantly updating Mimikatz. The work he has done has greatly improved the security of Windows, especially Windows10.

0 x02 Mimikatz overview

Mimikatz is one of the best tools for collecting credential data from Windows systems. In fact, I personally consider Mimikatz to be the Swiss Army knife of Windows credential data — a tool that can do anything. Since Mimikatz’s author Benjamin Delpy is French, the resources describing Mimikatz’s usage are all in French, at least on his blog. Mimikatz’s GitHub page is in English and includes useful information on command usage.

Mimikatz is a Windows X32 / X64 program written in C in 2007 by Benjamin Delpy (@Gentilkiwi) to learn more about credential data for Windows (and as a POC).

There are two optional components that provide some additional functionality, MIMidRV (a driver that interacts with the Windows kernel) and MIMilib (bypass AppLocker, validation packet /SSP, password filter and SekurLSA for WinDBG).

Mimikatz requires administrator or SYSTEM permissions, and typically uses DEBUG permissions to perform certain operations, interacting with the LSASS process (depending on the requirements of the operation being done).

You can compile and run your own version of Mimikatz, run the Mimikatz executable, utilize Metasploit scripts, and the official PowerShell version, Invoke-Mimikatz, Or Mimikatz’s dozen or so PowerShell variants (I prefer Empire written in PowerShell because it’s really good!). .

Source and binary versions of Mimikatz are available on GitHub under the Creative Commons license, with the following details:

You are free to:

  • Share – Copy and publish related source files in any media or in any format
  • Adapt – Make any changes based on the source file
  • For any purpose, even commercialization. As long as you comply with the terms of the license, the license cannot abrogated those freedoms.
  • Byline – You must give the appropriate description, provide a link to the license, and indicate whether changes have been made. You may do so in any reasonable manner, but do not imply that the license terms endorse you or any manner in which you use it.
  • No additional restrictions – you may not apply to the legal provisions or technical measures of a license that legally restricts others from doing anything.

0x03 Mimikatz Author introduction

  • Benjamin DELPY Gentilkiwi, can follow him on Twitter (@gentilkiwi) or email (Benjamin [at] gentilkiwi.com)
  • The DCSync function of the LSADump module was written by Benjamin in collaboration with Vincent LE TOUX, You can contact Vincent by email (vincent.letoux [at] gmail.com) or visit his homepage (www.mysmartlogon.com)

0x04 Mimikatz official link

  • Mimikatz GitHub
  • Mimikatz Releases (containing compiled binaries)
  • Mimikatz GitHub Wiki (includes some documentation)
  • GentilKiwi Blog (most of the content in this Blog is written in French, please use Chrome for automatic translation)

0x05 Mimikatz with credentials

After the user logs in, a lot of credential data is generated and stored in local Security Authority Service process (LSASS) memory. The purpose is to make it easier for single sign-on (SSO) to ensure that users are not prompted for each access request to a resource. The credential data includes NTLM password hashes, LM password hashes (if the password is less than 15 characters long), and even plaintext passwords (to support other WDigest and SSP authentication). While Windows can be prevented from creating LM hashes to the SAM database (or AD database) on the local computer, this does not prevent the system from generating LM hashes in memory. By default, users’ LM hashes are no longer generated in Windows Server 2008 and Windows Vista unless explicitly enabled. As of Windows 8.1 and Windows Server 2012 R2, LM hashes and “plain text” passwords will not be generated in memory. This feature has also been “ported” to older versions of Windows, which requires a KB2871997 patch for Windows 7/8/2008 R2/2012. To prevent “plaintext” passwords from being placed in LSASS processes, the following registry keys need to be set to “0” (with digest disabled) :

#! Bash HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ WDigest "UseLogonCredential (DWORD)"Copy the code

This registry key is worth monitoring in your environment, because attackers may want to set it to 1, enabling digest password support, so that in any version of Windows, from Windows 7/2008 R2 to Windows 10/2012 R2, Force the “plain text” password to be placed in the LSASS process. On Windows 8.1/2012 R2 and later, there is no DWORD value for “UseLogonCredential”, so you must create it manually. If the key is present in these systems, it may mean that there is something wrong with that system.

Note that there is little hope for an attacker to run the code directly on the target system, so Mimikatz is constantly updated with new functionality that can run remotely. This includes running Mimikatz and remotely dumping credentials to the remote system, invoke-Mimikatz and DCSync using PowerShell remote management, One of the most recent features is that remote fetching of password data for any Active Directory account in the domain against a DC does not require any Mimikatz code to be run in the DC (it uses Microsoft’s official domain controller replication API and requires the correct permissions to perform this function).

0x06 Credentials available on different operating system versions

Benjamin Delpy uploaded an Excel chart on OneDrive (shown below) showing the certificate data types available in memory (LSASS), These include enhanced “reduce the number and type of credentials stored in memory” protection in Windows 8.1 and Windows 2012 R2.

0 x07 Powershell and Mimikatz:

Most of the features in Mimikatz are available in PowerSploit (PowerShell Penetration Framework). With the invoke-Mimikatz PowerShell script written by Joseph Bialek, This script “reflexively loads the Mimikatz fully into memory using Mimikatz 2.0 and invoke-reflectivepeInjection. This allows you to dump credentials without having to write the Mimikatz binaries to disk. The PowerSploit framework is now hosted in the “PowerShellMafia” GitHub library.

What makes invoke-Mimikatz so “magic” is the use of the ability to reflexively load the Mimikatz DLL (already embedded with scripts) into memory. Invoke-mimikatz’s code can be downloaded from the Internet and executed in memory without writing anything to disk. In addition, if you run invok-Mimikatz with the appropriate permissions and PowerShell remote management is enabled on the target machine, you can export credential data from other systems and execute standard Mimikatz commands remotely without dropping any files on the remote system.

Invoke-mimikatz is no longer updated, but we can use the newer Mimikatz to convert out of DLLS (32-bit and 64-bit versions).

  • Dump credentials from the LSASS process using Mimikatz: invoke-Mimikatz-dumpcreds
  • Export all private certificates with Mimikatz (even if they have been marked as unexportable) : invoke-Mimikatz — DumpCerts
  • Upgrade privileges with debug on a remote computer: invoke-mimikatz-command “privilege::debug exit” -ComputerName “computer1”

The invoke-Mimikatz “Command” parameter allows the invoke-Mimikatz to execute a custom Mimikatz Command line.

Defenders should expect that any functionality contained in Mimikatz will be available in Invoke-Mimikatz.

0x08 Method to detect Mimikatz

There are several ways to potentially detect Mimikatz usage on the network, although there is no guarantee that these methods will work. Since the source code for Mimikatz is available on GitHub, anyone can compile their own version using Visual Studio. I built my own version of Mimikatz called “Kitkatz”, and after replacing all instances of “Mimikatz” with “KitiKatz”, the detection rate on VirusTotal was not ideal (4/54). Windows Defender detected it in my Windows 10. Later, I replaced “Benjamin Delpy” and “Gentilkiwi” with the same words, just replacing “e” with “3” and “I” with “1”. The detection rate was still poor (4/54). Windows Defender in my Windows 10, however, did not detect it. So, your test will be different.

  • Benjamin Delpy published Mimikatz’s YARA rules in Mimikatz’s GitHub library.
  • Run the latest version of antivirus software. VirusTotal had a 35/35 detection rate against Mimikatz.exe (32-bit & 64-bit) using the AV engine on November 11, 2015.
  • Mimikatz (as of October) affiliated events at BusyLights. [Implemented with Mimikatz Version 2.0 Alpha 20151008 (OE.eo) Edition]
  • Make full use of security software to identify interactions with LSASS processes. Security software that monitors the injection process may also periodically detect Mimikatz use.
  • Embed special credentials in the memory of multiple computers in the enterprise including HoneyTokens/HoneyHashes. These credentials are marked, so when someone tries to use them, the system raises a serious alert. This requires some kind of push method and credentials that are attractive to attackers. In theory, it might be possible to detect credential theft and use the method in an environment.
  • WDIGEST Registry Key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) should be set to “0” to prevent “plaintext” passwords from being stored in LSASS processes. If the registry key is set to “1” in an internal enterprise system, this may indicate that credential theft has occurred. This registry key is worth monitoring in your environment because attackers may want to set it to1To enable digest password support so that on any version of Windows, from Windows 7/2008 R2 to Windows 10/2012 R2, “plain text” passwords are forced to be placed in the LSASS process.
  • The methods for detecting Kerberos ticket forgeries, which I published in early 2015, can detect gold, silver, and trust ticket forgeries. I also gave some information on how to detect MS14-068 Kerberos vulnerability attacks.
  • Enable enterprise LSA protection supported by all Windows versions. This prevents Mimikatz from working “out of the box” and requires the use of the Mimikatz driver to record events when it interacts with LSASS.
  • Enable LSA protection on all Enterprise Windows. This prevents the way Mimikatz works “out of the box” and the requirement that it needs to use the Mimikatz driver at run time, which also logs events when it interacts with LSASS.

0x09 Mimikatz And LSA Protection Mode

A new feature called LSA Protection was included in Windows Server 2012 R2 and Windows 8.1, These include enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass this protection using drivers, but will generate some logs in the event log) :

Lsas include local Authentication Service subsystem (LSASS) processes that verify local and remote logins of users and enforce local security policies. Windows 8.1 provides extra protection for Lsas to prevent non-protected processes from reading memory and code injection. This provides additional security for the credential information stored and managed by lsas.

Enabling LSA Protection

  1. Open the registry editor (regedit.exe) and locate the registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, set the registry key value to:"RunAsPPL" = dword: 00000001
  2. Create a new GPO and browse to Computer Configuration – Preferences – Windows Settings. Right-click registrie-New, and then click the registry key. The new registry properties dialog box is displayed. In the configuration unit list, clickHKEY_LOCAL_MACHINEBrowse to in the registry key path listSYSTEM\CurrentControlSet\Control\LsaIn the value name text box, enter RunAsPPL, in the value type text box, click REG_DWORD, in the Value data text box, enter 00000001, and click OK.

LSA protection prevents an unprotected process from interacting with an LSASS. But Mimikatz can still use drivers to bypass (“! + “).

Invoke – Mimikatz 0 x0a detection

  • Make sure all Windows systems have PowerShell V3 or later installed. Newer versions of PowerShell have better logging capabilities, especially PowerShell V5.
  • Enable the PowerShell module run log recording function based on group policies: Computer Configuration – Policies – Management Templates – Windows Components – Windows PowerShell Enable the module recording function. Enter * and click OK. This logs all PowerShell activity, including all PowerShell modules.

  • The activity of PowerShell is recorded in the Operation log of PowerShell. These events are pushed to a central logging server (via Windows event forwarding or similar) or SIEM.
  • Parse PowerShell events as follows:
    • “The System. Reflection. AssemblyName”
    • “System. Reflection. Emit. AssemblyBuilderAccess”
    • “System. The Runtime. InteropServices. MarshalAsAttribute”
    • “TOKEN_PRIVILEGES”
    • SE_PRIVILEGE_ENABLED

Note: While it is possible to recognize the use of Mimikatz by the words “mimikatz,” “Delpy,” or “Gentilkiwi” in the reminder, But an “awesome” attacker might launch his own version of Mimikatz or invoke-Mimikatz without these keywords.

Detect offensive PowerShell tools

Many PowerShell attack tools use the following invocation method that is logged into the PowerShell module log.

  • “GetDelegateForFunctionPointer”
  • “The System. Reflection. AssemblyName”
  • “System. Reflection. Emit. AssemblyBuilderAccess”
  • “System. Management Automation. WindowsErrorReporting”
  • “MiniDumpWriteDump”
  • TOKEN_IMPERSONATE
  • TOKEN_DUPLICATE
  • TOKEN_ADJUST_PRIVILEGES
  • TOKEN_PRIVILEGES