Mimikatz — CraftedSignal Threat Feed

Mimikatz MemSSP Log File Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 17:00:00 +0000

This detection identifies the creation of the mimilsa.log file, a default log generated by the Mimikatz misc::memssp module. The misc::memssp module injects a malicious Security Support Provider (SSP) into the Local Security Authority Subsystem Service (LSASS) process. This injected SSP logs credentials from subsequent logons to the compromised host, allowing attackers to capture sensitive information. The creation of this log file is a strong indicator of credential access attempts and the potential compromise of user accounts and system security. This rule is designed for data generated by Elastic Defend and also supports data from CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel.

Attack Chain

An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
The attacker executes Mimikatz or a similar tool with the misc::memssp module.
Mimikatz injects a malicious SSP library (e.g., mimilib.dll) into the LSASS process (lsass.exe).
The injected SSP hooks into the authentication process.
When users log on to the system, the SSP captures their credentials.
The captured credentials are written to the mimilsa.log file, typically located in C:\Windows\System32\.
The attacker retrieves the mimilsa.log file to obtain the captured credentials.
The attacker uses the stolen credentials to escalate privileges, move laterally within the network, and access sensitive resources.

Impact

A successful Mimikatz MemSSP attack can lead to the compromise of user accounts, including those with administrative privileges. This allows attackers to gain unauthorized access to sensitive data, systems, and resources within the organization. Lateral movement becomes easier, potentially impacting a large number of systems. The compromised credentials can also be used for external attacks, such as gaining access to cloud services or other external resources.

Recommendation

Deploy the Sigma rule Mimikatz Memssp Log File Detected to your SIEM and tune for your environment.
Enable Sysmon file creation logging to detect the creation of mimilsa.log files.
Investigate any alerts generated by the Sigma rule, focusing on the process that created the log file and any subsequent file access.
Monitor for the presence of mimilib.dll and any LSA Security Packages registry modifications, as these may indicate persistent SSP installation.
Review and restrict interactive logons to high-value hosts to minimize the potential for credential theft.
Investigate related alerts for the same host.id in the last 48 hours covering delivery, privilege escalation, LSASS access, persistence, lateral movement, or additional credential access.

Detects Kirbi File Creation

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The creation of .kirbi files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as .kirbi files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.

Attack Chain

An attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.
The attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.
The tool extracts Kerberos tickets from memory.
The extracted tickets are saved to a .kirbi file on the filesystem. This file is often created in a temporary or easily accessible location.
The attacker may rename or move the .kirbi file to evade detection or prepare it for later use.
The attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).
The attacker gains unauthorized access to sensitive resources or data.

Impact

A successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.

Recommendation

Deploy the Sigma rule Kirbi File Creation to your SIEM to detect the creation of .kirbi files.
Enable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the Kirbi File Creation rule to function effectively.
Investigate any alerts generated by the Kirbi File Creation rule, focusing on the process that created the file, the location of the file, and any follow-on activity.
Consider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.

Potential Invoke-Mimikatz PowerShell Script

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection identifies PowerShell scripts containing Invoke-Mimikatz or Mimikatz commands, which are commonly used to extract sensitive information such as credentials, password stores, and certificates. The detection focuses on in-memory credential access, requiring thorough investigation and reconstruction of script context to assess the impact. The rule is designed to detect potential credential access attempts by identifying specific keywords and command patterns associated with Mimikatz usage within PowerShell script blocks. Defenders should prioritize investigations triggered by this rule due to the potential for significant compromise. The Elastic detection rule was last updated on 2026/04/24.

Attack Chain

An attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.
The attacker executes a PowerShell script, either directly or through a payload.
The PowerShell script contains obfuscated or encoded Mimikatz commands.
The script leverages techniques to bypass AMSI (Anti-Malware Scan Interface) to avoid detection.
The script utilizes Invoke-Mimikatz or direct Mimikatz commands to dump credentials from memory (LSASS process).
The attacker extracts password hashes, plaintext passwords, and Kerberos tickets.
The attacker uses the stolen credentials to move laterally within the network.
The final objective is to gain access to sensitive data or critical systems, leading to data exfiltration or further compromise.

Impact

Successful exploitation can result in the compromise of user accounts, including privileged accounts. This can lead to lateral movement within the network, access to sensitive data, and potential data exfiltration. Credential dumping via Mimikatz is a common technique used in many attacks, often leading to widespread damage and significant financial loss. The rule’s high risk score of 99 reflects the severe potential impact of this activity.

Recommendation

Enable PowerShell Script Block Logging to capture the necessary events (4104) for this detection, as specified in the setup instructions.
Deploy the Sigma rule below to your SIEM and tune it for your environment to detect potential Mimikatz usage within PowerShell scripts.
Investigate any alerts generated by this rule by reconstructing the full PowerShell script block using powershell.file.script_block_id, powershell.sequence, and powershell.total as described in the rule’s notes.
Monitor for file creation events following the detection to identify potential credential dumps, archives, or exported certificates as highlighted in the rule’s notes.