Mimikatz: An offensive tool that is widely used by cybercriminals
- It provides a wide range of functions, thus enabling both organized criminals and state-sponsored groups to obtain credentials from memory.
- Mimikatz exploitation tool was developed in 2017 to target Windows systems.
In today’s world, cyber attackers are continually making progress in their hacking tools and techniques in order to achieve a bigger malicious intent. However, this does not mean they are abandoning the basic tools, techniques, and procedures when conducting a cyber attack.
In fact, most of the attacks are performed by hackers by leveraging publicly available tools that can be used to detect and exploit security flaws on target systems and networks. Of all these, Mimikatz is one of the popular and widely used tools by hackers. It provides a wide range of functions, thus enabling both organized criminals and state-sponsored groups to obtain credentials from memory.
Developed in 2017, Mimikatz exploitation tool was used against Windows systems. This would allow an actor to collect credentials users who are logged into a targeted machine. This is done by accessing the data in memory within the Local Security Authority Subsystem Service (LSASS) system process.
Once the hackers gain access to the credentials, they can reuse the same to gain access to other machines on a network.
Mimikatz can enable an unauthorized person to gain privileged access within a domain and perform other malicious tasks. It can be used to exploit a poorly secured system and retrieve clear text credentials and hashes from memory.
“The tool can obtain LAN Manager and NTLM hashes, certificates, and long-term keys on Windows XP (2003) through to Windows 8.1 (2012r2). In addition, the tool can perform pass-the-hash or pass-the-ticket tasks and build Kerberos Golden tickets,” said a report by the Australian Cyber Security Centre.
Apart from these, hackers can automate various features of Mimikatz by just modifying the scripts. This allows an actor to rapidly exploit and traverse through a compromised network.
Since its discovery, Mimikatz exploit kit has been actively used by attackers to execute several attacks across the world. In 2011, the tool was used to obtain administrators credentials from the Dutch certificate authority, DigiNotar. The attack led to the company filing for bankruptcy within a month of the compromise.
In 2017, Mimikatz was used in conjunction with other hacking tools for distributing NotPetya and BadRabbit ransomware. Thousands of computers were affected in the attack and Mimikatz made the hackers' job easy by extracting administrator credentials. These credentials were used to facilitate lateral movement and enabled the ransomware to spread across the networks while encrypting the drives of those systems where the credentials were valid.
In another instance, the Microsoft research team detected the exploit tool being used in a sophisticated cyberattack targeting high-profile technology and financial institutions. Mimikatz was used to dump and likely reuse system hashes.
Keeping Windows up-to-date will help reduce the attack conducted using Mimikatz tool. Defenders should disable the storage of clear text passwords in LSASS memory in order to prevent Mimikatz from retrieving credentials.
Network administrators should monitor the network and respond immediately to any unauthorized account access. They should also ensure that their systems are patched with the latest versions. In addition, they should also audit the use of scripts, especially PowerShell, in order to identify anomalies.