Wednesday, December 5, 2018

In Defense of Mimikatz - Mieux vaut prévenir que guérir

I wanted to take a moment and write about Mimikatz. This is a comprehensive credential tool. It does far more than you might actually imagine. My purpose of this blog is to encourage defenders to look into this tool closely and consider how you might detect those who run it in its default configurations. And to provide thanks and props to Benjamin for his work.

First, mad respect and props to Benjamin Delpy @gentilkiwi for bringing this tool forward. It is my opinion that we now have eyes on authentication and credentials, that we may not have if this tool didn’t shine a light into this area. Benjamin was the keynote speaker this fall at DerbyCon.  

It is not often you get a powerful tool like this, AND you get the source code that backs it.
“Il vaut mieux faire que dire.” :)

Do you remember the first time you saw Mimikatz dump your password in plain text?

I do. I remember it well, it was around mid 2012. I stumbled onto this blog post.

I had been an argument earlier that week with someone claiming clear text dumping from memory was possible, and I DIDN’T believe it.  I was like, no way… Doesn’t happen. I literally thought what they were describing was impossible. I have since learned it is much wiser to take a learning posture when presented with evidence that seems to to go against what  you understand. When I saw mimikatz dump clear text creds, it was literally a transformative moment for me. “If you can do this?, what else is possible?”

Well, I now know that there is far more mystery in how Windows works than certainty. One only needs to look into MS14-068 or Danderspritz….

So again, thank you Benjamin for awakening in me a curiosity and insatiable appetite for learning more about Windows and how things *REALLY* work.

If I could share one thing here, it would be this.  Mimikatz and its complimentary tool Kekeo do FAR more than dump credentials from memory. In addition, I don’t think many defenders understand the great lengths Benjamin has gone to to make his tool detectable.

How many other tools, drop a YARA file in addition to their tool release?

Again, I applaud the efforts here to be transparent and to teach us. Defenders would do well to spend time studying this code for nuggets that are in the code.

Let’s look at one in depth.  And while I am a bit hesitant to expose this. It is a REALLY simple way to catch those actors who run this tool in its default configuration.

Let’s have a look at this blog for a moment:

So, there is a really interesting feature in Mimikatz, misc::memssp been there for some time actually…

Do you know what misc::memssp does?  Have you looked into closely? Do you understand the bug it can trigger on Server 2016 Domain Controllers ;-)?

Some questions you may have.

  1. When was this piece of code committed?
  2. What does it do?
  3. How can it be used by adversaries?
  4. How might I detect this?
  5. What are the default settings here, and how might they be changed.

I leave it as an exercise for the reader to look into how you might change the default settings.
Here is a hint: 0x740x720x790x680x610x720x640x650x72

In the end, it is my opinion that Benjamin is teaching all of us through his code, if you would take some time to look at it, study it a bit, I think there is something in here for all of us to learn.

Ok. there is so much more to try to share here.

In summary, I don’t think we as defenders need to be afraid of Mimikatz, in fact there is a lot here that we can learn from. One only needs to apply some Focus and Energy as Rob Joyce @RGB_Lights might say ;-).  My really only hope here is try to inspire or encourage you to look closely at this tool. And lastly, Benjamin's work stands and speaks on its own. He doesn't really need my commentary, critique or endorsement. I am simply trying to point others to appreciate the depth and transparency more.

I’ll close with this. Thank you Benjamin for this tool and insight into how credentials, authentication and secrets work and are stored in Windows. Without this work, those who understand these techniques, but choose not to share, would win the day. In the end, it is my opinion that we are all better for this great work.

Merci Beaucoup ;-)

In Defense of Mimikatz - Mieux vaut prévenir que guérir

I wanted to take a moment and write about Mimikatz. This is a comprehensive credential tool. It does far more than you might actually imagi...