Choose Your Own Red Team Adventure: Mimikatz
This is a continuation of a Choose Your Own Red Team Adventure series. If you don’t know how you got here, start at the beginning. Otherwise, continue reading …
Congrats! It’s a Windows 7 host, so credentials are in memory in the LSASS process by default. You now have 2 plaintext passwords: one for Bob, the current user your payload is running under, and another one: Eve. You quickly check Active Directory — Eve’s account is a Domain Admin! W00t!
With Domain Admin credentials in your possession, the world is your oyster! So, you attempt to move laterally to another host using Eve’s Domain Admin password.
Access Denied.
What?
Try again.
Access Denied.
Try again!
You try Bob’s account, but it’s not an admin, so it does not have rights to perform the lateral movement.
The target organization does not have any single factor externally-facing services. You need to prompt Bob for his two-factor authentication one-time-passcode. So, you go to work building a user interface to prompt for the passcode.
Thirty minutes later, you notice your shell stopped responding.
Hmmm.
You try resending your phish to other victims, but your pixel trackers (you do use pixel trackers, don’t you??) suggest the emails are not even landing in any inboxes. Your mail service says the messages were delivered, though.
You try to send more phishes with a different domain from the same VPS (virtual private server), but you don’t switch IP addresses. Same result. Days go by.
You’re out of time.
GAME OVER.
Post-analysis
Running Mimikatz tripped a silent alarm, which only took 7 minutes to get SOC attention. That’s an exceptional escalation window!
Eve’s DA password was a simple fake. The security team deployed a homegrown process to inject a fake password into LSASS (invoke-honeyaccount) on random endpoint devices. Then they set Eve’s account to generate high priority SOC alerts anytime it tries to login. It’s a super high fidelity indicator of compromise (IOC).
By 9 minutes in, the SOC correlated the attempted DA logins on the second host with the mimikatz detection — they’ve practiced this and it’s really that fast. The SOC started watching your subsequent failed attempts (you tried 8 times!) before you gave up. They also saw the authentication attempts on the second workstation with Bob’s account which further confirmed patient zero.
By 30 minutes in, the SOC pulled all traffic sources/destinations from the first host where you landed and identified the domain that hosted your phish. They blacklisted the domain and IP address at the network edge (SMTP gateway and web proxy). Then they filed an abuse request with the provider.
They also created a signature for the payload in your lure using YARA rules, which is why all your future attempts on new infrastructure were futile. Initial execution is a struggle. That technique took you weeks to develop and work the edge case kinks out. Now it’s gone.
This is what it’s like to go against a good defender. You’ve got to bring your A game, Leroy Jenkins.
