Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”

Discussion in 'malware problems & news' started by guest, Apr 6, 2019.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    With Windows XP the procedure for creating the dump file with Task Manager does not work.*
    I tried to enter all possible command lines at the prompt.
    I only get errors or missing creation of the dmp file.

    So I think that with Windows XP the use of rundll32.exe + comsvcs to create an lsass.dmp file is a broken procedure.

    Windows XP therefore seems immune to such an attack.

    P.S. With P.E. is OK.
     
    Last edited: Jan 14, 2020
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This only works from the Task Manager GUI. There is no way to run Task Manager from the command line interface. Ditto for Process Explorer that has the same capability.

    The process that works from the command line interface is tasklist and it does not have the capability to memory dump a running process.
     
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    :D:D

    It is obvious that I referred to T.M. GUI ........
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Since this recent article was about enhanced credential extraction techniques, the author has packaged all of them here: https://github.com/Hackndo/lsassy .

    As far as lsass.exe dumping goes, refer to this section. Note the comsvcs.dll execution methods:
    For those not familiar with WMIExec, here's one of many references on its use:

    This article notes most of common reverse shell attack methods: https://blog.ropnop.com/using-credentials-to-own-windows-boxes/
     
    Last edited: Jan 14, 2020
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    First, make sure you are running Task Manager with admin privileges.

    Right mouse click on lsass.exe process. Select "Create dump file."
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    :confused:

    It is not possible !!
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    The other methods don't interest me.:thumb:
    Why can I block them or they won't work with my W.XP.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    "Each to their own" my friend.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I found another article with a number of other ways to dump lsass.exe: https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf .

    The one that caught my eye is:
    This highlights that comsvcs.dll is far from the only .dll that can be deployed.
     
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    Good hunting.:thumb:
    Sorry if I use the info of the article for my purposes (Windows XP):

    1. Task Manager does not work.
    2. Psexec is blocked by an OSA default rule.
    3. Procdump is actually capable of creating a dmp file but I blocked its execution with a custom rule in OSA.
    4. Mini Dump cannot be run on my OS.
    Regarding Dumpert without the exe file I cannot know if it could be run in my OS.

    P.S. Even PE as I wrote can create the dmp file of lsass.exe.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It can't on Win 10 - access denied. Again a PPL bypass would be needed on Win 10 to dump lsass.exe.
     
  12. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    You're right I tried now with W.10 1909
    access denied.:thumb:

    I am sorry that there are no other members of W. for testing other OS prior to W.10.
    :(
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    Can you explain the purpose?
    I blocked most of the commands in the sequence.

    Instead, it would be interesting to write a rule in OSA to block the saving of the lsass.dmp file performed by Process Explorer.
    I can not do it.
    Although acquiring the lsass.dmp file via PE would be difficult for the attacker in my pc for a variety of reasons.


    p.s. It seems to me impossible that no member of W. with W.7,8.1 performs any tests
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There are numerous ways to dump process memory. Trying to block all of them, especially the undocumented ones, is akin to "a mad dog chasing his tail."
     
  17. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    :D
     
  18. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Processes from non-administrator account can't dump lsass.exe process even if it is not protected by Credential Guard or PPL. In believe some credentials may be stored on disk or cached in other way if that user runs process as another user, so don't use "run as" option on primary non-administrator account.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    True.

    Previous posted POC .vbs script shows one way how to escalate to System privileges from a local admin account. Might also work for standard user account.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Of note for anyone running XP or Win 7. Begin reading at:
    https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5

    For Win 7 users, a patch has to be applied and WDigest protocol disabled. Appears this can also be done by setting the appropriate reg. key or adding it if not present.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    A few more comments and I am done with this recently posted credential dumping method.

    Mimikatz binaries can be downloaded here: https://github.com/gentilkiwi/mimikatz/releases . This download includes the infamous mimidrv.sys and minidrv.dll that will allow Mimikatz to load a kernel driver on the fly to remove lsass.exe PPL protection and dump lsass.exe credentials. All that is needed is admin access on the targeted device. As such, Mimikatz itself is quite capable of dumping lsass.exe w/o resorting to stealthy Win living of the land methods to do so.

    So how does one prevent a Mimikatz attack? Use a top tiered AV solution that can detect the Mimikatz client side components being installed on a device.
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy

    The UseLogonCredential registry key is not present.
    And the Negotiate registry key has a value of 0.
    In my pc the WDigest authentication method is disabled.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As far as I am aware of, there is no way to do this on XP. The Win 7 reg. method doesn't work. Even if the Win 7 method does work, it can be bypassed:
    https://www.adamcouch.co.uk/reversi...ndows-server-2012-r2-and-windows-server-2016/
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    To begin with, the article you reference does not list XP.

    Next is IIS has nothing to do with WDigest protocol use per se. Of note is IIS is not normally installed on any consumer Win OS version. WDigest is used by other software besides IIS;
    https://www.trustedsec.com/blog/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/

    Further, you can't assume that a mitigation for Win 7 will work on Win XP. They are different OS versions. Note that the WDigest patch must first be installed on Win 7 which I assume allowed for registry parameter control. Then the registry changes made to activate that control.

    WDigest is a protocol. As such, it is an integrated part of the OS. It can not be "uninstalled" unless Microsoft previously provided such capability as they did for the SMBv1 protocol.

    Again, KB2871997 patch does not apply to XP: https://msrc-blog.microsoft.com/2014/06/05/an-overview-of-kb2871997/ . Why? Because XP was end-of-life 4/2014. Also and most important is what this patch actual did:
    "Time to give up that XP ghost."
     
    Last edited: Jan 16, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.