redcanary.com Open in urlscan Pro
104.198.136.223  Public Scan

Form analysis
1 forms found in the DOM

GET https://redcanary.com/

<form method="get" class="search-form" action="https://redcanary.com/" __bizdiag="115" __biza="WJ__"> <svg width="20" height="19" viewBox="0 0 20 19" fill="none" xmlns="http://www.w3.org/2000/svg">
    <line x1="12.8839" y1="12.1161" x2="18.8839" y2="18.1161" stroke="black" stroke-width="2.5"></line>
    <circle cx="7.5" cy="7.5" r="6.25" stroke="black" stroke-width="2.5"></circle>
  </svg> <input id="input-search" class="search-input" name="s" type="text" placeholder="Search" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form>

Text Content

Skip Navigation
Request Demo
2022Threat Detection Report
Demo
 * Trends
 * Threats
 * Techniques
 * Beats
 * Archive
 * Download Report

 * 2022 Threat Detection Report PDF
 * 2022 Executive Summary PDF

 * Intro
 * Past Reports
 * Threats
 * Techniques

 * Introduction
 * Ransomware
 * Supply Chain Compromises
 * Vulnerabilities
 * Affiliates
 * Crypters-as-a-Service
 * Common Webshells

 * User-Initiated Initial Access
 * Malicious macOS Installers
 * Remote Monitoring and Management Abuse
 * Linux Coinminers
 * Abusing Remote Procedure Calls
 * Defense Validation and Testing

 * Top Threats
 * Rose Flamingo
 * Silver Sparrow
 * Bazar
 * Latent Threats
 * Cobalt Strike

 * Impacket
 * SocGholish
 * Yellow Cockatoo
 * Gootkit
 * BloodHound

 * Top Techniques
 * Command and Scripting Interpreter
 * Signed Binary Proxy Execution
 * Windows Management Instrumentation
 * OS Credential Dumping
 * Ingress Tool Transfer

 * Process Injection
 * Scheduled Task/Job
 * Obfuscated Files or Information
 * Masquerading
 * Hijack Execution Flow

 * Managed Detection and Response
 * Integrations
 * The Red Canary Difference
 * Schedule Your Demo

Named a leader in MDR

 * Atomic Red Team™
 * MDR Everywhere
 * MDR for Microsoft
 * Active Remediation

 * Replace your MSSP
 * Post-Breach Response
 * EDR Deployment
 * EDR Migration
 * Linux Security

 * View All Resources
 * Blog
 * Guides & Overviews
 * Case Studies
 * Videos
 * Webinars
 * Events
 * Customer Help Center

Blog

Sharpen your skills with the latest information, security articles, and
insights.

 * Overview
 * Incident Response
 * Insurance & Risk
 * Managed Service Providers
 * Solution Providers
 * Technology Partners

Red Canary Partner Connect

Apply to become a partner.

 * About Us
 * News & Press
 * Careers - We're Hiring!
 * Contact Us
 * Trust Center and Security

Contact Us

How can we help you? Reach out to our team and we'll get in touch.

 * Liner Notes
 * Side 1: Trends
 * Side 2: Threats
 * Bonus Tracks: Techniques

 * Trends
      Trends
    * Introduction
    * Ransomware
    * Supply Chain Compromises
    * Vulnerabilities
    * Affiliates
    * Crypters-as-a-Service
    * Common Web Shells
    * User-Initiated Initial Access
    * Malicious macOS Installers
    * Remote Monitoring and Management Abuse
    * Linux coinminers
    * Abusing remote procedure calls
    * Defense validation and testing

 * Threats
      Threats
    * Top Threats
    * Rose Flamingo
    * Silver Sparrow
    * Bazar
    * Latent threats
    * Cobalt Strike
    * Impacket
    * SocGholish
    * Yellow Cockatoo
    * Gootkit
    * BloodHound

 * Techniques
      Techniques
    * Top Techniques
    * Command and Scripting Interpreter
    * Signed Binary Proxy Execution
    * Windows Management Instrumentation
    * OS Credential Dumping
    * Ingress Tool Transfer
    * Process Injection
    * Scheduled Task/Job
    * Obfuscated Files or Information
    * Masquerading
    * Hijack Execution Flow

 * Beats
 * Archive
 * Download Report
      Download Report
    * 2022 Threat Detection Report PDF
    * 2022 Executive Summary PDF

 
Share
 
 
 
 
 
 
 
 
 


THREAT


MIMIKATZ

Mimikatz is a credential-dumping utility commonly leveraged by adversaries,
penetration testers, and red teams to extract passwords. As an open source
project, Mimikatz continues to be actively developed, with several new features
added in 2020.

Pairs with this song


#2

OVERALL RANK


8.8%

CUSTOMERS AFFECTED

 * Analysis
 * Detection Opportunities

 

THREAT SOUNDS



Editors’ note: While the analysis and detection opportunities remain applicable,
this threat page was written for a previous Threat Detection Report and has not
been updated in 2022.




ANALYSIS

Mimikatz is an open source credential-dumping utility that was initially
developed in 2007 by Benjamin Delpy to abuse various Windows authentication
components. While the initial v0.1 release was oriented towards abusing already
well established “Pass The Hash” attacks, after expanding its library of abuse
primitives, the tool was publicly released as Mimikatz v1.0 in 2011. A decade
later, Mimikatz is still a fantastic utility for adversaries to gain lateral
mobility within an organization. In 2020, Red Canary observed various actors
using Mimikatz during intrusions, including deployment alongside cryptominers
such as Blue Mockingbird or ransomware such as Nefilim, Sodinokibi, and
Netwalker.

EVASION TACTICS

Interestingly, in the case of Blue Mockingbird, Red Canary observed signs of the
adversary using evasion tactics that may throw off Mimikatz detection. In one
incident, we observed the Mimikatz binary being written to disk as mx.exe in the
C:\PerfLogs\ directory. Renaming the Mimikatz binary may thwart rudimentary
signatures looking for the filename mimikatz.exe.

The directory Mimikatz was written into, C:\PerfLogs\, is also of interest—this
directory has been seen in use by other adversaries such as Ryuk. C:\PerfLogs\
is a directory utilized legitimately by Windows Performance Monitor, which by
default requires administrative rights to write to. Generally speaking, an
adversary is already assumed to have elevated privileges if they are using
Mimikatz to its fullest extent. While we don’t presume to have a clear answer on
why adversaries choose that directory for staging, its use presents an
opportunity for detection by monitoring for the execution of suspicious binaries
from unusual directories. Many defenders are familiar with monitoring for
unusual activity coming from C:\Windows\Temp, and based on what we observed from
Blue Mockingbird, C:\PerfLogs\ may be another interesting directory to watch out
for.

While we observed some malicious use of Mimikatz by adversaries, the majority of
detections were the result of some kind of testing—including adversary
simulation frameworks (such as Atomic Red Team) or red teams running tests, as
confirmed by customer feedback. Though Mimikatz offers multiple modules, there
was not much variety in the modules tested. The sekurlsa::logonpasswords module
was the most utilized in 2020, providing extraction of usernames and passwords
for user accounts that have recently been active on the endpoint. In comparison,
we did not observe the latest module released in Q3 2020
lsadump::zerologon—which tests ZeroLogon vulnerability CVE-2020-1472—in any of
our 2020 detections. This finding suggests that testers should consider
expanding the Mimikatz functionality they test for. Using Mimikatz to test
detection coverage for a range of behaviors can help ensure you’re also covered
for other threats that use those same techniques.




DETECTION OPPORTUNITIES


DETECTION OPPORTUNITY 1

Mimikatz module command-line parameters
ATT&CK technique(s): T1003 OS Credential Dumping
ATT&CK tactic(s): Credential Access

Details: To identify execution of Mimikatz, look for processes in which module
names are observed as command-line parameters. While Mimikatz offers several
modules related to credential dumping, the sekurlsa::logonpasswords module is a
boon for detection. To expand detection opportunities, you can detect additional
module names from the Mimikatz repository. While it may not be comprehensive,
this is a great starting point for building a list of command-line parameters to
detect on. Additional modules can be found by keeping an eye on the commit
history of the project or by following the maintainer on Twitter so you can be
notified when new modules appear. As always with anything open source, this
project can be forked and modified to evade this detection opportunity, so it is
important to institute defense-in-depth practices within your organization and
not rely on just one detection opportunity.


DETECTION OPPORTUNITY 2

Kerberos ticket file modifications
ATT&CK technique(s): T1558 Steal or Forge Kerberos Tickets
ATT&CK tactic(s): Credential Access

Details: Another notable feature is Mimikatz’s ability to steal or forge
Kerberos tickets. Kerberos ticket files (.kirbi) are of interest to adversaries
as they can contain sensitive data such as NTLM hashes that can be cracked
offline. To perform these attacks, a unique file extension variable is defined
within Mimikatz that designates the default extension as .kirbi. Building
detection analytics around modification of files with this extension is another
easy win as they can be a telltale sign that an adversary is in the midst of
performing an attack. One such attack, popularly known as “Kerberoasting,”
occurs when Kerberos tickets are extracted from memory and the password of an
account is cracked, allowing the adversary to pivot within the environment via a
newly hijacked account. This type of attack thwarts basic foundational security
practices such as only delegating permissions to user accounts with the
principle of least privilege.

It is important to note that while .kirbi files are utilized by Mimikatz, they
are not exclusive to Mimikatz—multiple other hacking utilities interact with
these files following the Kerberos Credential format as well. In addition to
using .kirbi files as a detection opportunity, incident responders should also
remember to sanitize them as soon as possible, whether their generation was a
function of sanctioned testing or otherwise.


DETECTION OPPORTUNITY 3

Suspicious LSASS injection
ATT&CK technique(s): T1003 OS Credential Dumping
ATT&CK tactic(s): Credential Access

Details: Credential dumping is the name of the game for Mimikatz. To be
successful, Mimikatz must interact with the Local Security Authority Subsystem
Service (LSASS), which provides a great opportunity for detection. Mimikatz
requires specific process access rights to initiate cross process injection via
the Kernel32 OpenProcess function: PROCESS_VM_READ 0x0010 and
PROCESS_QUERY_LIMITED_INFORMATION 0x1000. These permissions, collectively
observed via the bitmask 0x1010, are relatively rare for lsass.exe under normal
conditions.

While identifying processes that are initiating cross process injections may
provide a foundation for detecting Mimikatz, this can be a bit noisy. A good way
to filter things down may be to focus around the loading of other suspect
libraries such as the SAM Library (samlib.dll) and the Credential Vault Client
Library (vaultcli.dll). With this information you can identify instances of
Mimikatz, as well as other credential theft tools, with a higher degree of
confidence.

The below detection demonstrates Blue Mockingbird using Mimikatz (renamed as
mx.exe) to perform credential dumping via LSASS injection.

DETECTION STRATEGIST

 

AARON DIDIER

INTELLIGENCE ANALYST


Aaron is an unconventional autodidact who got their start in information
security as a "terminally curious" member of a network operations team at a
small regional WISP, addressing abuse@ emails, digging into netflow, and
responding to VoIP attacks. Prior to joining the flock at Red Canary, Aaron was
a member of the Motorola Solutions SOC, where they contributed to the creation
of a Security Onion-inspired RHEL IDS known as Red Onion. They also spent time
briefly at Baker McKenzie administering CB Response and Protect while mapping to
the ATT&CK Framework. In their off hours, you may catch Aaron digging just about
anywhere, be it in the garden, in a book, in a 10-k report, capture the flag
event, Twitter post, or documentary. Their fascination for the world knows no
bounds and they love sharing everything they've learned with anyone willing to
listen.
Aaron is an unconventional autodidact who got their start in information
security as a "terminally curious" member of a network operations team at a
small regional WISP, addressing abuse@ emails, digging into netflow, and
responding to VoIP attacks. Prior to joining the flock at Red Canary, Aaron was
a member of the Motorola Solutions SOC, where they contributed to the creation
of a Security Onion-inspired RHEL IDS known as Red Onion. They also spent time
briefly at Baker McKenzie administering CB Response and Protect while mapping to
the ATT&CK Framework. In their off hours, you may catch Aaron digging just about
anywhere, be it in the garden, in a book, in a 10-k report, capture the flag
event, Twitter post, or documentary. Their fascination for the world knows no
bounds and they love sharing everything they've learned with anyone willing to
listen.
Return to 2022 Top 10 Threats
#4 IcedID
#6 Shlayer

RELATED RESOURCES

After detection: teaming up to shut down a web server attack

September 3, 2020
After detection: teaming up to shut down a web server attack
LSASS behaving badly

June 12, 2019
LSASS behaving badly
 


SEE WHAT IT'S LIKE TO HAVE A PARTNER IN THE FIGHT.

EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.

Demo
 * 
 * 
 * 


 * What We Do
   * Managed Detection and Response
   * Integrations
   * The Red Canary Difference
   * Request a Demo
 * Solutions
   * Atomic Red Team™
   * MDR Everywhere
   * MDR for Microsoft
   * Active Remediation
   * Replace your MSSP
   * Post-Breach Response
   * EDR Deployment
   * EDR Migration
   * Linux Security
   * Alert Triage
 * Resources
   * View all Resources
   * Blog
   * Guides & Overviews
   * Case Studies
   * Videos
   * Webinars
   * Events
   * Customer Help Center
   * Newsletter
 * Partners
   * Overview
   * Incident Response
   * Insurance & Risk
   * Managed Service Providers
   * Solution Providers
   * Technology Partners
   * Apply to Become a Partner
 * Company
   * About Us
   * News & Press
   * Careers – We’re Hiring!
   * Contact Us
   * Trust Center and Security

© 2014-2022 Red Canary. All rights reserved. info@redcanary.com +1 855-977-0686
Privacy Policy Trust Center and Security

 

 
Our website uses cookies to provide you with a better browsing experience. More
information can be found in our Privacy Policy.
X
Privacy & Cookies Policy
Close

PRIVACY OVERVIEW

This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT


Back to Top