Register to stream ATT&CKcon 2.0 October 29-30

Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

ID: S0002
Type: TOOL
Platforms: Windows
Contributors: Vincent Le Toux
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1098 Account Manipulation The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value. [2] [7]
Enterprise T1003 Credential Dumping Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA, SAM table, credential vault, DCSync/NetSync, and DPAPI. [1] [8] [5] [4]
Enterprise T1081 Credentials in Files Mimikatz's DPAPI module can harvest protected credentials stored and/or cached by browsers and other user applications by interacting with Windows cryptographic application programming interface (API) functions. [2] [5]
Enterprise T1207 DCShadow Mimikatz’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC. [1] [2]
Enterprise T1075 Pass the Hash Mimikatz's SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands. [2] [4]
Enterprise T1097 Pass the Ticket Mimikatz’s LSADUMP::DCSync, KERBEROS::Golden, and KERBEROS::PTT modules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets. [2] [3] [6] [4]
Enterprise T1145 Private Keys Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions. [2]
Enterprise T1101 Security Support Provider The Mimikatz credential dumper contains an implementation of an SSP. [1]
Enterprise T1178 SID-History Injection Mimikatz's MISC::AddSid module can appended any SID or user/group account to a user's SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain. [2] [3]

Groups That Use This Software

ID Name References
G0049 OilRig [9] [10] [11]
G0007 APT28 [12]
G0003 Cleaver [13]
G0059 Magic Hound [11]
G0008 Carbanak [14]
G0006 APT1 [15]
G0077 Leafminer [16]
G0045 menuPass [17]
G0060 BRONZE BUTLER [18] [19]
G0032 Lazarus Group [20]
G0050 APT32 [21] [22] [23]
G0079 DarkHydrus [24] [9]
G0004 Ke3chang [25]
G0010 Turla [26] [27]
G0069 MuddyWater [28]
G0076 Thrip [29]
G0016 APT29 [30]
G0080 Cobalt Group [31] [32] [33]
G0082 APT38 [34]
G0011 PittyTiger [35]
G0027 Threat Group-3390 [36] [37]
G0086 Stolen Pencil [38]
G0087 APT39 [39]
G0064 APT33 [40]
G0088 TEMP.Veles [41]
G0093 Soft Cell [42]

References

  1. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
  2. Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
  3. Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.
  4. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  5. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
  6. Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.
  7. Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.
  8. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
  9. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  10. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  11. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  12. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  13. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  14. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  15. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  16. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  17. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  18. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  19. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  20. Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.
  21. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  1. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  2. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  3. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  4. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  5. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  6. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  7. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  8. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.
  9. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  10. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  11. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  12. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  13. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  14. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
  15. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  16. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  17. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  18. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  19. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  20. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  21. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.