Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”

Discussion in 'malware problems & news' started by mood, Apr 6, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    22,497
    Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”
    April 4, 2019
    https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    -EDIT- I also take exception to the implication that somehow changing Mimikatz's executable name will bypass AV's signature detection of it. An executable's file name has zip to do with the capability to detect a malware's code signature. And most AV's are quite adapt at detecting Mimikatz's code signature.

    For additional reference: https://github.com/gentilkiwi/mimikatz/wiki/module-~-privilege

    From the Microsoft linked reference in the above article:
    Microsoft recommends to remove the functionality via Group Policy:
    https://docs.microsoft.com/en-us/wi...ction/security-policy-settings/debug-programs
     
    Last edited: Apr 6, 2019
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Lest anyone underestimates how truly dangerous Mimikatz is, a few more references. BTW - the Cloudstrike article really doesn't do justice to it.

    This article gets into the behavioral aspects of both disk and memory, yes - those also exist, Mimikatz attacks: https://www.eideon.com/2017-09-09-THL01-Mimikatz .

    For those sleeping better at night falsely believing that Win 10 1809 lsass.exe PPL or Credential Guard are 100% effective against Mimikatz attacks, this is a must read: https://medium.com/red-teaming-with...-with-2-lsass-protection-options-880590a72b1a
     
    Last edited: Apr 7, 2019
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Also the above red team linked article was written prior to release of win 10 1809. Microsoft stated that use of Mimikatz's loading on-the-fly kernel mode Microsoft code signed driver would no longer work to bypass lsass.exe PPL. This is clearly not the case based on this Twitter posting: https://twitter.com/gentilkiwi/status/788486598786686978?lang=en
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Referring to this ridiculous statement from the Cloudstrike blog article:
    Below are the Eset results for a .zip download from GitHub containing Mimikatz components. Note all the detections state variant indicating this was not a positive signature detection. The buggers never hit the disk:

    mimidrv_sys_32.png mimidrv_sys_64.png mimikatz_exe_32.png mimikatz_exe_64.png mimilib_dll_32.png mimilib_dll_64.png mimilove_exe_32.png
     
    Last edited: Apr 8, 2019
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,597
    Location:
    Italy
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    If a malware process can acquire System privileges, it can do virtually anything it wants:
    BTW - I assume most Wilders folks are monitoring rundll32.exe in some fashion by now.
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,580
    And wouldn't a "top tiered integrated AV solution" do that already by default (with all those fancy buzz-words like "Deep behavioral inspection", "Machine Learning", and whatever they may call it)?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Maybe. As the article points out, WD will detect it. But he found a bypass to it by specify lsass.exe PID.

    Since the comsvcs.dll use appears to be new, suspect AV behavior ML engine rules are being revised currently. Note that not all AV ML engines have the capability to revise their rules on the fly. Eset's Augur does.
     
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,597
    Location:
    Italy
    300.JPG
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    You need to verify if the OSArmor rundll32 rule covers .dll usage. As shown, it is only blocking child process startup.
     
  12. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,597
    Location:
    Italy
    So a custom rule would be needed to block the command:

    rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump "<lsass pid> lsass.dmp full"
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    And just how would you code that since <lsass pid> can be any numeric value in the 1 - 9999 range; not sure what the upper limit is?

    Additionally, the comsvcs.dll could be copied to any directory and referenced from there. Also, the dump file can be any xxxxx.dmp name. Add to this that "rundll32.exe comsvcs.dll" usage could actually be legit usage.

    Finally, there is nothing malicious in dumping any file including lsass.exe. What is malicious is reading the memory dumped lsass.exe process to harvest credentials.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,597
    Location:
    Italy
    There are other rules in OSA that concern rundll32.exe for example this:

    "Attacks Mitigation Rules"

    Prevent rundll32.exe from using Control_RunDLL (Shell32.dll)

    So I assume it's possible to write a custom rule that blocks this:

    rundll32.exe C:\ Windows\System32\comsvcs.dll

    The question is whether this will cause problems?

    @mood

    Hi,
    Since you are good at OSA blocking rules, could you write such a rule?
    TH.;):)
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Refer to the Mitre link I posted:
    https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
     
    Last edited by a moderator: Jan 13, 2020
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Looks like this latest hacker article plagiarized someone's else work: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

    Of note:
    I assume this is in reference to lsass.exe running as a PPL on later Win 10 versions. However, still needed is proof this will bypass lsass.exe PPL protection.

    BTW - no Mimikatz needed here.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I use NVT ERP v3 and have runDLL set has a vulnerable process so I get an alert when ever it runs.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Well, elevating this bugger to System privileges doesn't work on Win 10 1909. Per .vbs script code referenced in above linked modexp article:

    Eset_Lsass.png

    So I would say a PPL bypass of lsass.exe would have to be employed. See Matt Graeber's articles on that. Here's one: https://github.com/Mattiwatti/PPLKiller
     
    Last edited: Jan 13, 2020
  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,597
    Location:
    Italy
    Easy to lock.
    OSA has several predefined rules for VBscripts.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Really not the point. The point is System privilege escalation hack can be done many ways.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    There might be a way to stop this bugger for anyone not on a later ver. of Win 10 and that is using a HIPS.

    I have a Eset HIPS rule that monitors wmiPrvSE.exe child process creation. I have had this rule in place for a long time and it has never triggered. However when I ran the ProcDump.vbs script, here's what happened:

    Eset_rundll32_Block.png

    Appears that anything likewise could detect the rundll32.exe startup regardless of where it was run from; at least on Win 10. It is hard to determine from the .vbs script code if the following is actually referencing wmiPrvSE.exe:
     
    Last edited: Jan 13, 2020
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Here's one for non-Win 10 users as far as dumping lsass,exe.

    Just use Win Task Manager - only admin credentials needed:
    https://ired.team/offensive-securit...edentials-from-lsass-process-without-mimikatz

    Of course tying this on Win 10 results in:

    Lsass_Dump.png
     
  24. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,039
    OSarmor has an advanced rule (disable by default) for "block any process executed from wmiprvse.exe"
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,815
    Location:
    U.S.A.
    Yeah, I knew that.

    What triggered the wmiprvse.exe execution Eset HIPS detection in Win 10 was the hidden command shell execution attempted execution of rundll32.exe child process from the .wbs script. So one would have to have the knowledge about this lsass.exe dump attack to effectively respond to the alert. Although any such like command execution could be viewed as suspicious.

    What needs to be tested as far as OSArmor goes is if it detects the child process startup from wmiprvse.exe when wmiprvse.exe is started from a shell for example.
     
    Last edited: Jan 13, 2020
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.