Mimikatz MemSSP Log File Detection

The Mimikatz MemSSP module allows attackers to inject a malicious Security Support Provider (SSP) into the Local Security Authority Subsystem Service (LSASS) process. Once injected, this SSP logs credential information from subsequent logons to a file named mimilsa.log. This file is created by default in the C:\Windows\System32\ directory. This activity is a strong indicator of credential access, as the attacker is attempting to steal credentials for lateral movement or privilege escalation. The creation of this log file is a critical event that should be investigated immediately to determine the extent of the compromise and prevent further damage. This technique is commonly used by attackers to gain unauthorized access to sensitive information.

Attack Chain

1. An attacker gains initial access to a Windows system via phishing, exploiting a vulnerability, or other means.
2. The attacker executes Mimikatz or Invoke-Mimikatz on the compromised system.
3. The attacker uses the misc::memssp command within Mimikatz to inject a malicious Security Support Provider (SSP) into the LSASS process.
4. The injected SSP hooks into the LSASS process to intercept authentication events.
5. When a user logs on to the system after the SSP is injected, their credentials are captured by the malicious SSP.
6. The captured credentials are written to the mimilsa.log file, typically in the C:\Windows\System32\ directory.
7. The attacker retrieves the mimilsa.log file to extract the captured credentials.
8. The attacker uses the stolen credentials for lateral movement, privilege escalation, or other malicious activities.

Impact

A successful Mimikatz MemSSP attack can lead to the compromise of user accounts, including those with elevated privileges. This allows the attacker to move laterally within the network, access sensitive data, and potentially gain control of critical systems. The impact can range from data theft and service disruption to complete system compromise. The exposure is directly correlated to the number of successful authentications after the malicious SSP injection.

Recommendation

• Deploy the “Mimikatz Memssp Log File Detected” Sigma rule to your SIEM to detect the creation of mimilsa.log.
• Monitor for file creation events where the file.name is mimilsa.log and the process.name is lsass.exe.
• Investigate any alerts generated by the Sigma rule to determine the scope of the compromise.
• Enable Sysmon file creation logging (Event ID 11) to capture file creation events, which are required for the provided Sigma rules.
• Review Windows Security authentication logs for unusual logon activity following the creation of mimilsa.log.
• Enforce the principle of least privilege to limit the impact of compromised accounts.