Question

In: Computer Science

I am completing some online labs for a cyber security course. We are meant to do...

I am completing some online labs for a cyber security course. We are meant to do specific tasks.

For this task we have a compromised virtual machine in an activity titled "compromised host" .

"The attacker has deployed the ‘mimikatz’ tool to attempt to capture plaintext passwords." I am not sure what a mimikatz tool is, but upon research online it is used in malicious attacks. We are meant to find the filename of the executable for this mimikatz tool on the disk. I am not sure how we are meant to identify it, especially when it is probably not called mimikatz (I have already tried). We are also meant to find a path to a log file, which contains the details to someone called Alan Jones (I am assuming this could be used as a keyword in a search of files).

The questions we have been asked are:
1) What is the filename of the mimikatz executable on disk?
2) What is the full path of the log file on disk?

How do we find the mimikatz file(commands in powershell?) and how do we find the password log?

Solutions

Expert Solution

Question: A Compromised virtual machine titled 'compromised host". "The attacker deployed "mimikatz' tool to attempt capture plaintext passwords".
Finding the filename of the executable for this tool on disk. Also, find a path to a log file, which contains the detaills to someone called 'Alan Jones'.

Answering below questions
1)what is the filename of mimikatz executable on disk?
2) what is full path of log on disk?

Solution:
Any malicious tool/virus has two parts i.e. one at attackers machine and other at 'targeted system'. Attacker find a way to put the executable file on target system so that it can be exploited.

Windows and REGISTRY EDITOR
After user logs in, LSASS[Local Security Authority subsystem service], process in memory to store credentials.
Check the key in REGISTRY EDITOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)
If this value is 1, passwords will be stored as "clear-text" in LSASS. Also, attacker can create a fake/alternate process with change in letter/process name is Windows explorer.
By default it runs from system32 folder, if location is different than system is compromised.


There is a module in mimikatz "Sekursla", with admin rights, plaintext passwords are extracted using mimikatz commands and output is stored as
sekurlsa::logonpasswords.

We can use above keywords and 'Alan jones' to find full path of log on the disk.

Below are the Powershell commands to find the exact data
Find log file which contains the details to someone "Alan Jones".
PS C:\> Select-String -Path "*.log" -Pattern "Alan Jones"

Find the password.log file on disk
PS C:\> Select-String -Path "*.log" -Pattern "Pass"

Full path of log on disk.
PS C:\> Get-EventLog -LogName "Windows PowerShell" -Message "*Sekursla*"

Finding the Mimikatz file
When 'Mimikatz are executed, two .exe starts   "Mimikatz.exe" & "serkurlsa.dll"
Use Powershell commands
PS C:\> Get-Process Mimikatz* -Module
PS C:\> Get-Process serkurlsa* -Module

Once process are identified, file location can be known.

Above are the ways in which we can find location and files on the compromised host.


Related Solutions

I am completing a questionnaire for my course. How can I re-write following questions as closed-ended...
I am completing a questionnaire for my course. How can I re-write following questions as closed-ended questions to be included in the questionnaire? 1.Do you believe that World Bank loans significantly helped economic development in Emerging Markets during 2008-2016. 2. Please indicate the extent to which you agree with the following statements: a) The World Bank helped improve the enabling environment for SME firms in Emerging Markets during 2008-2016. b) The World Bank’s mainstreaming of framework agreements addressed project implementation...
So I am suppose to write a short essayon this and I found some things online,...
So I am suppose to write a short essayon this and I found some things online, but I am having trouble putting it into my own words. Can I have help with this please and thank you! Macropoland is currently experiencing a recession--consumption and investment are very sluggish, and unemployment is quite high at 9%. Currently, inflation is very low at 0.4% (the historical average rate of inflation is about 2%). The Macropolish President has just hired you as her...
This is an Introduction to Homeland Security course question. What responsibility do private-sector owners with online...
This is an Introduction to Homeland Security course question. What responsibility do private-sector owners with online shopping and brick and mortar stores have to protect their facilities? How does cyber security hacking during Black Friday and Cyber Monday interfere with homeland security, what are the risks? Explain your answer.
I am a Pharmacology Graduate Student. My two fellow graduate students work in different labs. We...
I am a Pharmacology Graduate Student. My two fellow graduate students work in different labs. We have agreed to put each other's names on our manuscripts as we discuss each other's work at conferences and this will triple our publishing productivity. Your thoughts?
Hi! I am in an intro level Finance course and I am stuck on this problem....
Hi! I am in an intro level Finance course and I am stuck on this problem. Any help would be greatly appreciated. I am deciding on opening a restaurant. I was able to scrape together some capital from friends and family, but I must pay them back in 4 years at 12% per annum. I figure that it will cost me $165,000 to start up with rent, deposits, equipment, salaries, chicken, basil, rice, etc. for the first year, but I...
I am currently completing an assignment for an introduction for accounting. I have been asked to...
I am currently completing an assignment for an introduction for accounting. I have been asked to complete a general journal for the following transactions: August 2           Sahra paid $30 from the business bank account for dinner at ‘Waves’ a beachside café. August 3           Deep Sea Cleaning Co cleaned the shop and workshop and left an invoice for $195 on the counter. August 6           A new range of SPF fabric was purchased from ‘World Fabrics Ltd’ for $6,200. A part-payment of $200 was paid...
Scenario: I am creating a course for inclusion into an established nursing curriculum. I am supposed...
Scenario: I am creating a course for inclusion into an established nursing curriculum. I am supposed to describe the program level of the course am proposing. What do they mean by program level? This is a hypothetical community college with a two year nursing program.
I need a detail explanation of a Cyber Security Project you might have worked on or...
I need a detail explanation of a Cyber Security Project you might have worked on or know about or maybe any project topics or ideas would work.
I had to work in a group to form a presentation. the course was an online...
I had to work in a group to form a presentation. the course was an online course so the member had one way of communication.write a reflection on working on an online, group presentation.Advantages and disadvantages
This is an Introduction to Homeland Security course question. In a Homeland Security context, do you...
This is an Introduction to Homeland Security course question. In a Homeland Security context, do you believe that the term “prevention,” differs in meaning from the terms “mitigation” or “preparedness?” What types of prevention activities can be conducted in advance of a terrorist attack?
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT