Detecting Mimikatz Use On Your Network, (Tue, Feb 10th)

I am an awesome hacker. Perhaps the worlds greatest hacker. Dont believe me? Check out this video where I prove I know the administrator password for some really important sites!

(Watching it full screen is a little easier on the eyes.)

OK. I lied. Im a fraud and Ill concede the title of greatest hacker to those listed at attrition.orgs charlatans page. I didnt really hack those sites. But I certainly did enter a username and password for those domains and my machine accepted it and launched a process with those credentials! Is that just a cool party trick or perhaps something more useful? What happened to those passwords I entered?

The /netonly option for the runas command is used to launch a program as a user that exists on a remote machine. The system will accept the username and password for that remote user and create an authentication token in the memory of your LSASS process without any interaction with the remote host. With this option I can run commands on my host as the administrator of the domain without having to actually know the password for that account. Sounds dangerous? Well, it is not really. The command that you run doesnt really have any elevated access on your machine and with an invalid password it is not a threat to Microsoft. Windows doesnt try to authenticate to the domain to launch the process. It assumes that the credentials are correct, calculates the hashes and stores them in memory for future use. At some point in the future, if you try to access a resource on that domain it will automatically use windows single sign on capabilities to PASS THE HASH to the remote system and log you in. But until you try to access the remote network, the passwords just sit there in memory.

The result is a really cool party trick and an even cooler way we can detect stolen password hashes being used in our environment. You see, those fake credentials are stored in the exact same location as the real credentials. So, when an attacker uses mimikatz, windows credential editor, meterpreter, procdump.exe or some other system to steal those passwords from your system they will find your staged Honey Hash Tokens in memory. It is worth noting that they will not see those hashes if they use run hashdump, hashdump or any of the other commands that steal password hashes from disk rather than memory. However, that is not uncommon unless the attacker is on the Domain Controller and it will not raise suspicion.

Lets try it out and see how this deception might look to an attacker.”>Then, when prompted for the administrator I can provide any password that I want. In this example I typed superpass. Now, lets create an account for root on the domain Yes, I know that is absurd. The absurdity demonstrates that you can put anything in LSASS you want. You can even use this to post snarky messages taunting the attackers if you want to live dangerously. (Not Recommended)”>runas /user:linux.orgroot /netonly cmd.exe

Once again, when prompted for the root users password, I can enter anything I want. For this example I choose notreallythepassword. You will need to leave those command prompts running on your system to keep the credentials in memory. That is something a careful attacker might notice, but Im betting they wont.” />

You can see both the hashes and clear text passwords sitting there just waiting for a hacker to find them. But these hashes, unlike all the others, will not get them anywhere on my network. This powerful deception can be exactly what you need to detect the use of stolen passwords on your network.

Here is the idea. You stage these fake credentials in the memory of computers you suspect might be the initial entry point on your network. Perhaps all the computers sitting in your DMZ. For a great deception my friend Rob Ruller (@mubix) is toying with the idea of putting this into the logon scripts to stage fake workstation administrator accounts on all the machines in your network. Then you would setup alerts on your network that detect the use of the fake accounts. Be sure to choose a username that an attacker will think is valid and will have high privileges on your domain. So rather than microsoft.comadministrator you might try SuperAdmin. (unless, of course, you are Microsoft)

Thats the idea. I hope it is helpful.

Mark Baggett Follow me on Twitter:@markbaggett

Like this? Interested in learning how to automate this and other common tasks with Python? Join me in Orlando Florida April 13th Attackers and Defender will learn the essentials of Python, networking, regular expressions, interacting with websites, threading and much more. Sign up soon for discounted pricing.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.