Preventing Mimikatz Attacks

Mimikatz is playing a vital role in every internal penetration test or red team engagement mainly for its capability to extract passwords from memory in clear-text. It is also known that adversaries are using Mimikatz heavily in their operations. Even though that Microsoft introduced a security patch which can be applied even in older operating systems such as Windows 2008 Server still Mimikatz is effective and in a lot of cases it can lead to lateral movement and domain escalation. It should be noted that Mimikatz can only dump credentials and password hashes if it is executed from the context of a privilege user like local administrator.

Debug Privilege

Image for post
Image for post
Debug programs privilege — Local Administrators

In a default installation of Windows Server 2016 the group policy is not defined which means that only Local Administrators have this permission.

Image for post
Image for post
Debug programs privilege — Group Policy

From the attackers perspective this check can be performed through Mimikatz with the following command:

privilege::debug
Image for post
Image for post
Check to validate debug privilege

Mimikatz requires this privilege as it interacts with processes such as LSASS. It is therefore important to set this privilege only to the specific group of people that will need this permission and remove it from the Local Administrators. The SeDebugPrivilege can be disabled by defining the policy to contain no users or groups.

Group Policy Management Editor -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Debug programs -> Define these policy settings:
Image for post
Image for post
Disable the SeDebugPrivilege

When the new policy is applied across the domain an attacker that has managed to escalate his privilege to local administrator he will not be able to use this permission. Mimikatz will respond with the following message:

Image for post
Image for post
Mimikatz — Debug Privilege Disabled

WDigest

sekurlsa::wdigest
Image for post
Image for post
Mimikatz — WDigest

Microsoft in Windows 8.1, Windows 10, Windows Server 2012 R2 and Windows Server 2016 has disabled this protocol by default. However if your organisation is using older operating systems such as Windows 7 and Windows Server 2008 etc. Microsoft has released a patch (KB2871997) which allows administrators to enable or disable the WDigest protocol. After applying the patch it is recommended to validate that the WDigest is disabled from the registry.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
Image for post
Image for post
WDigest — Disabled

The Negotiate and UseLogonCredential registry keys values should be set to 0 to completely disable this protocol. It should be noted that in newer operating systems (Windows Server 2016, Windows 10 etc.) the UseLogonCredential registry key doesn’t exist. Of course an attacker with Local Administrator privileges can modify the registry to enable WDigest and grab credentials as it has been explained greatly by Dave Kennedy in his blog. Therefore if these values are set to 1 after disabling this protocol then this is an indication of an attack. Registry modification should be constantly monitoring to get the alert at an early stage and catch the threat.

Attacker attempts to retrieve the plain-text credentials from WDigest will fail if this protocol is disabled:

Image for post
Image for post
Mimikatz — WDigest Disabled

LSA Protection

sekurlsa::logonPasswords
Image for post
Image for post
Mimikatz — Interact with LSA

It is advised that systems prior to Windows Server 2012 R2 and Windows 8.1 should enable the LSA protection to prevent Mimikatz from accessing a specific memory location of the LSASS process. This protection can be enabled by creating the registry key RunAsPPL and setting the value 1 in the following registry location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Image for post
Image for post
LSA Protection Enabled

In a system that has enabled the LSA protection the attacker will get the following error:

Image for post
Image for post
Mimikatz — LSA Protection

Restricted Admin Mode

The “DisableRestrictedAdmin” registry key should be created in the following location with the value 0 in the systems in the network that will be allowed to receive RDP sessions in restricted admin mode. Furthermore, the “DisableRestrictedAdminOutboundCreds” registry key should be created with the value 1 to disallow network authentication from inside the system that the admin has performed the RDP. Absence of this key it means that Admin outbound credentials are enabled.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Image for post
Image for post
Restricted Admin Mode — Enabled

The “Restrict delegation of credentials to remote servers” policy needs to be enforced across the domain to ensure all outbound RDP sessions are using the “RestrictedAdmin” mode and therefore credentials are not leaked.

Image for post
Image for post
Restrict Delegation of Credentials — Group Policy

The policy needs to be enabled with the “Require Restricted Admin” setting.

Image for post
Image for post
Restrict Delegation of Credential — Enabled Restricted Admin

Once this policy is enforced, Administrators can RDP remotely to workstations and servers that have the required registry key with the following switch from windows run.

Image for post
Image for post
Restricted Admin Mode Switch — Run

Or executing it directly from a command prompt.

Image for post
Image for post
Restricted Admin Mode Switch — Command Prompt

For older operating systems prior to Windows 2012 R2 and Windows 8.1 this option is part of KB2871997 Microsoft patch.

Credential Caching

HKEY_LOCAL_MACHINE\SECURITY\Cache

Mimikatz can retrieve these hashes if the following command is executed:

lsadump::cache

By default Windows are caching the last 10 password hashes. It is recommended to prevent local caching of password by changing the following security setting to 0.

Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 0
Image for post
Image for post
Interactive Logon — Do not cache logons

Attacker attempts to retrieve these password hashes with Mimikatz will fail:

Image for post
Image for post
Mimikatz — Credential Caching Disabled

Protected Users Group

The “Protected Users” security group can be found in the Active Directory Users and Computers.

Image for post
Image for post
Active Directory — Protected Users Security Group

Accounts that will be part of this security group will automatically fall into the Kerberos policy in terms of authentication which by default is configured as below:

Image for post
Image for post
Kerberos Default Policy

Alternatively accounts can be added into the “Protected Users” group from PowerShell by executing the following command:

Add-ADGroupMember –Identity 'Protected Users' –Members Jane
Image for post
Image for post
Protected Users Group — Add Accounts via PowerShell

Older operating systems like Windows Server 2008 can still have this security group by applying the patch KB2871997 from Microsoft.

Conclusion

Blue Team

Technical advice for Blue Teams to prevent cyber threats

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store