In: Computer Science
I am completing some online labs for a cyber security course. We
are meant to do specific tasks.
For this task we have a compromised virtual machine in an activity
titled "compromised host" .
"The attacker has deployed the ‘mimikatz’ tool to attempt to
capture plaintext passwords." I am not sure what a mimikatz tool
is, but upon research online it is used in malicious attacks. We
are meant to find the filename of the executable for this mimikatz
tool on the disk. I am not sure how we are meant to identify it,
especially when it is probably not called mimikatz (I have already
tried). We are also meant to find a path to a log file, which
contains the details to someone called Alan Jones (I am assuming
this could be used as a keyword in a search of files).
The questions we have been asked are:
1) What is the filename of the mimikatz executable on disk?
2) What is the full path of the log file on disk?
How do we find the mimikatz file(commands in powershell?) and how
do we find the password log?
Question: A Compromised virtual machine titled 'compromised
host". "The attacker deployed "mimikatz' tool to attempt capture
plaintext passwords".
Finding the filename of the executable for this tool on disk. Also,
find a path to a log file, which contains the detaills to someone
called 'Alan Jones'.
Answering below questions
1)what is the filename of mimikatz executable on disk?
2) what is full path of log on disk?
Solution:
Any malicious tool/virus has two parts i.e. one at attackers
machine and other at 'targeted system'. Attacker find a way to put
the executable file on target system so that it can be
exploited.
Windows and REGISTRY EDITOR
After user logs in, LSASS[Local Security Authority subsystem
service], process in memory to store credentials.
Check the key in REGISTRY EDITOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
“UseLogonCredential”(DWORD)
If this value is 1, passwords will be stored as
"clear-text" in LSASS. Also, attacker can create a
fake/alternate process with change in letter/process name is
Windows explorer.
By default it runs from system32 folder, if location is different
than system is compromised.
There is a module in mimikatz "Sekursla", with admin
rights, plaintext passwords are extracted using mimikatz commands
and output is stored as
sekurlsa::logonpasswords.
We can use above keywords and 'Alan jones' to find full path of log on the disk.
Below are the Powershell commands to find the exact
data
Find log file which contains the details to someone "Alan
Jones".
PS C:\> Select-String -Path "*.log" -Pattern "Alan
Jones"
Find the password.log file on disk
PS C:\> Select-String -Path "*.log" -Pattern
"Pass"
Full path of log on disk.
PS C:\> Get-EventLog -LogName "Windows PowerShell"
-Message "*Sekursla*"
Finding the Mimikatz file
When 'Mimikatz are executed, two .exe starts
"Mimikatz.exe" & "serkurlsa.dll"
Use Powershell commands
PS C:\> Get-Process Mimikatz* -Module
PS C:\> Get-Process serkurlsa* -Module
Once process are identified, file location can be known.
Above are the ways in which we can find location and files on the compromised host.