Mimikatz

Mimikatz is an open-source tool that allows users to extract sensitive data from Windows computers, such as passwords, Kerberos tickets, and NTLM hashes:

How it works

Mimikatz can extract unencrypted passwords from Windows memory, which allows malicious actors to access a system's security tokens and restricted information.

Here are some key capabilities of Mimikatz:

• Credential Dumping: Extracts passwords, hashes, PINs, and Kerberos tickets from memory.
• Pass-the-Hash: Uses hashed passwords to authenticate without needing the plaintext password.
• Pass-the-Ticket: Uses Kerberos tickets to authenticate to other systems.
• Golden Ticket: Creates Kerberos tickets that provide domain admin access.

How it's delivered

Mimikatz is often delivered and executed without writing to disk, which helps it avoid detection.

How it's been used

Mimikatz was a component of the NotPetya ransomware worm, which is believed to have caused over a billion dollars in damages.

How to protect against it

Companies and organizations can protect their systems against Mimikatz using security patches, up-to-date software, and multi-factor authentication.

Mimikatz was developed in 2007 by French ethical hacker Benjamin Delpy to demonstrate vulnerabilities in Windows authentication systems.

Lateral Movement and Pivoting

The concepts of "lateral movement," "pivoting," and "privilege escalation" in cybersecurity explain how attackers use these techniques to navigate through a network, access different systems, and gain higher levels of access, often requires sophisticated detection methods like machine learning to identify suspicious activity amidst normal user behavior.

Key points:

Lateral movement:

This refers to an attacker moving from one compromised system to another within a network to reach their target data or system, often by exploiting shared credentials or vulnerabilities.

Pivoting:

Similar to lateral movement, pivoting involves using an initially compromised system as a launchpad to access other systems within the network, essentially "hopping" from one compromised machine to another to penetrate the network further.

Privilege escalation:

Once an attacker gains initial access to a system, they may attempt to elevate their user privileges to gain administrative control, allowing them to perform more sensitive actions.

PtH (Pass the Hash) attacks help facilitate these types of attacks.

Detection challenges:

Normal vs. anomalous behavior:

Differentiating between legitimate user actions and malicious activity can be complex, making detection reliant on advanced techniques like machine learning algorithms to identify unusual behavior patterns.

Anomalous logins and privilege use:

Monitoring for suspicious logins from unusual locations, excessive failed login attempts, or sudden elevation of user privileges can indicate potential lateral movement or privilege escalation attempts.

Pass the Hash Attack

 PtH (Pass the Hash Attack)

Attackers and penetration testers use the pass-the-hash attack. This allows them to achieve lateral movement or pivot to other systems in the network.

You do not have to crack the password, as the hash is the password.

One way to prevent this attack is to use group policy to prevent the caching of administrator passwords.

The other is to use the password-salting method. That way, the hashes will be completely different even if the admin uses the same local password for each system.