Question

I am completing some online labs for a cyber security course. We are meant to do specific tasks.

For this task we have a compromised virtual machine in an activity titled "compromised host" .

"The attacker has deployed the ‘mimikatz’ tool to attempt to capture plaintext passwords." I am not sure what a mimikatz tool is, but upon research online it is used in malicious attacks. We are meant to find the filename of the executable for this mimikatz tool on the disk. I am not sure how we are meant to identify it, especially when it is probably not called mimikatz (I have already tried). We are also meant to find a path to a log file, which contains the details to someone called Alan Jones (I am assuming this could be used as a keyword in a search of files).

The questions we have been asked are:
1) What is the filename of the mimikatz executable on disk?
2) What is the full path of the log file on disk?

How do we find the mimikatz file(commands in powershell?) and how do we find the password log?

Answer 1

Question: A Compromised virtual machine titled 'compromised host". "The attacker deployed "mimikatz' tool to attempt capture plaintext passwords".
Finding the filename of the executable for this tool on disk. Also, find a path to a log file, which contains the detaills to someone called 'Alan Jones'.

Answering below questions
1)what is the filename of mimikatz executable on disk?
2) what is full path of log on disk?

Solution:
Any malicious tool/virus has two parts i.e. one at attackers machine and other at 'targeted system'. Attacker find a way to put the executable file on target system so that it can be exploited.

Windows and REGISTRY EDITOR
After user logs in, LSASS[Local Security Authority subsystem service], process in memory to store credentials.
Check the key in REGISTRY EDITOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)
If this value is 1, passwords will be stored as "clear-text" in LSASS. Also, attacker can create a fake/alternate process with change in letter/process name is Windows explorer.
By default it runs from system32 folder, if location is different than system is compromised.

There is a module in mimikatz "Sekursla", with admin rights, plaintext passwords are extracted using mimikatz commands and output is stored as
sekurlsa::logonpasswords.

We can use above keywords and 'Alan jones' to find full path of log on the disk.

Below are the Powershell commands to find the exact data
Find log file which contains the details to someone "Alan Jones".
PS C:\> Select-String -Path "*.log" -Pattern "Alan Jones"

Find the password.log file on disk
PS C:\> Select-String -Path "*.log" -Pattern "Pass"

Full path of log on disk.
PS C:\> Get-EventLog -LogName "Windows PowerShell" -Message "*Sekursla*"

Finding the Mimikatz file
When 'Mimikatz are executed, two .exe starts   "Mimikatz.exe" & "serkurlsa.dll"
Use Powershell commands
PS C:\> Get-Process Mimikatz* -Module
PS C:\> Get-Process serkurlsa* -Module
Once process are identified, file location can be known.

Above are the ways in which we can find location and files on the compromised host.