Threat Hunting Diary Part 1- Hunting Mimikatz
This is my very first post about threat hunting series in medium. Please keep note that every threat hunters have different hunting methodologies. Last year at BSides Myanmar me and sai lay (formerly known as 404death) talk about Threat Detection and Simulation using MITRE ATT&CK and HELK. I also want to write a blog posts about threat hunting series but I didn’t have some free times. But know I want share about how to detect mimikatz attack (basic except modified mimikatz binary).
Introduction
As a threat hunter, you need know a collection of adversary techniques called MITRE ATT&CK. The purpose of the blog post is only to share hunting mimikatz and so if you want to know what is MITRE ATT&CK please go here. To set up free threat hunting platform you can use HELK which is developed by CyberWarDog. You can use docker version here, which is so easy to setup or If you don’t have too much server resources, CyberWarDog also write a blog post about “Setting Up a Pentesting… I mean a Threat Hunting Lab”. But this will be daunting task for beginner and so I recommend docker version. In this post, I will explain with my customized ELK and so there can be a little difference between HELK version.
Also you need to know about writing Sysmon rule for endpoint visibility. Sysmon provides detailed information about process creations, network connections, and changes to file creation time. You can download sysmon in here. For rules set, I used SwiftOnSecurity rule file.
After installing HELK and sysmon, you can start your threat hunting journey.
Mimikatz is a post exploitation tool which is developed by Benjamin DELPY. The purpose of the tool is to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets, DC Shadow and more. For more technique you can read more in mimikatz wiki.
Simulation
Now, let’s try to simulate as an adversary.
Suppose that one of your coworker is compromised by using spear phishing or because of zero day exploit. What do you think an attacker will do first?. For my perspective, he will try to get system access inside victim machine and then he will steal victim credentials or perhaps he will stop your SIEM agent like sysmon. In order to steal victim credential he need to use credential dumping tools like Mimikatz or gsecdump. That’s why I talk about MITRE ATT&CK is so important for both attacker and defender. If you want to know about some new attacking technique, you can refer ATT&CK and also if you want to know about how an attacker exploit you can refer ATT&CK.
In order to simulate credential dumping technique which is (T1003 in ATT&CK), download mimikatz in here. Then run the mimikatz.
Then run the most popular commands for Mimikatz.
You will get interesting credentials in your screen.
Detection(event id 1)
Now, before viewing Sysmon events that hit to your ELK server, let’s clean indices in elasticsearch in order to get a better understanding.
curl -XDELETE 'localhost:9200/logs-*?pretty'
If you are using HELK, you can filter process name using below query.
process_name: "mimikatz.exe"After filtering the above query, we get 1 matching rule in our ELK server and event id 1(process create event) is generated. You can view detailed events id here and you can view Sysmon suspicious activity guide here.
Now, let’s consider how to get unique detection from that event?. As shown in below we can detect it with Description, Product, Company, OriginalFileName and Hash fields since they are unique for basic detection cases. But these fields can be easily spoofed and what if attacker spoof these fields?. Roberto Rodriguez(aka cyberward0g) write a blog post about detecting mimikatz using image loaded event(event id 7). I prefer you should read his blog post here because detecting image loaded event is a quite hard for attacker to evade.
Detection(event id 10)
Event id 1 will only give you basic detection and mostly you will get fooled by attacker. When mimikatz is trying to read windows credentials, it need to load lsass.exe. According to Microsoft and SANS,
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. Windows so that users are not required to reauthenticate each time they access resources (“Cached and Stored Credentials Technical Overview,” n.d.)
When trying to read credentials using sekurlsa::logonpasswords, mimikatz is trying to read cache from lsass.exe as shown below.
Since, granted access code is 0x1010. Which is very unique identifier for mimikatz, you can detect if granted access code is 0x1010.
So, granted access code gives you a silver bullet?. No, IPPSEC explains how to bypass granted access code in this video. :).
For my opinion, implementing as much as rules is a good sign to detect incoming threats.
Writing Detection Rules
Now, let’s time to write some detection rule in order to detect mimikatz according to above scenario and according to ATT&CK. You can also find example rules file in here.
Add below content in logstash config folder (in my case /etc/logstash/conf.d/mimikatz.conf). Then restart the logstash with service logstash restart and run mimikatz again.
filter {
#mimikatz
if "gentilkiwi" in [file_company] or "mimikatz" in [process_name] or "0x1010" in [process_granted_access] {
mutate {
add_field => {
"mitreReference" => "https://attack.mitre.org/techniques/T1003"
"mitreAttackDescription" => "Mimikatz"
"mitreID" => "T1003"
"mitreTatic" => "Credential Access"
"mitrePlatform" => "Windows"
}
}
}Above rule will match if Company name contains “gentilkiwi” or process name contains “mimikatz” or granted access code is 0x1010, logstash will add mitreReference, mitreAttackDescription, mitreID, mitreTatic, mitrePlatform fields. So you search with mitreID: "T1003" as shown in below.
Sitting at the middle of both attacker side and defender side is fun right?. As discussed earlier in this post, detection is not so easy. You will need a lot of hard work for tuning in order to reduce false positives.
