Catching Mimikatz’ behavior with anomaly detection

Max Heinemeyer, Director of Threat Hunting | Friday February 15, 2019

Originally created by famed French programmer Benjamin Delpy to highlight security flaws in Windows authentication mechanisms, today Mimikatz is a staple post-exploitation module in the arsenal of cyber-criminals, since it facilitates lateral movement across a victim’s network. Mimikatz was a primary feature of the global ransomware attacks NotPetya and BadRabbit, in addition to the alleged Russian hacking of the German parliament in 2015 and 2017.

Among the primary vulnerabilities that Mimikatz exploits is Windows’ Local Security Authority Subsystem Service (LSASS), which is designed to obviate the need for users to reauthenticate every time they seek to access internal resources. Despite its clear utility, LSASS works by keeping a cache of every credential used since the last boot, presenting an obvious security risk in the event the cache is compromised. Broadly speaking, Mimikatz plunders this resource and allows users to access cleartext passwords as well as NTLM hashes. With this data in hand, threat actors are able to conduct the following attacks:

  • Kerberos Golden Ticket: Provides administrative credentials for the whole domain.
  • Pass-the-Ticket: Enables a user to pass a Kerberos ticket to a second device and login using this ticket.
  • Kerberos Silver Ticket: Provides a TGS ticket to log into any network service.
  • Pass-the-Hash: Allows a user to pass a hash string in order to login.

Dumping LSASS memory is just one method that Mimikatz and its many updated versions employ to harvest credentials. Indeed, once malware such as NotPetya has established itself on single device, the Mimikatz module can exploit a variety of security flaws to obtain the password information for any other users or computers that have logged onto that machine: a key step for both lateral movement and privilege escalation. Like many successful hacker tools, Mimikatz has inspired the creation of other programs with similar aims, which are largely intended to circumvent antivirus controls.

Using AI to end the cat-and-mouse game

At the most basic level, security teams can reduce vulnerability to Mimikatz and to lateral movement more generally by ensuring that each user has the minimum amount of privileges needed for his or her role. But while this measure is certainly prudent, it will not always be effective — especially when dealing with sophisticated threats. Another strategy is to implement endpoint security tools and anti-virus software, which rely on rules and signatures to detect known Mimikatz variants. However, as Mimikatz and its copycats continue to evolve, these traditional tools are locked in a ceaseless cat-and-mouse game, unable to spot unknown variants of Mimikatz that are designed to circumvent them.

As a fundamentally different approach to security, artificially intelligent systems like Darktrace avoid this cat-and-mouse game by learning what constitutes normal behavior for the users and devices they safeguard while “on the job,” rather than using fixed rules and signatures. This approach alerts defenders to any anomalous activity, regardless of whether such activity constitutes a known or unknown threat. Typically, lateral movement involving Mimikatz will involve a spike in unusual SMB activity, as attackers seek to write the tool to target devices. The following recent attack on a Darktrace customer highlights how AI can allow security teams to quickly detect and respond to such lateral movement involving Mimikatz:

  1. Darktrace alerts to a non-domain joined Linux device appearing on the customer’s network and engaging in extensive SMB bruteforce activity against key servers.

    Figure 1: Darktrace detects the spike in SMB activity.

  2. Darktrace flags the device successfully logging into a server using administrative credentials via SMBv1, opening the \sect pipe and writing the suspicious and likely malicious file Syssvc.exe to the server’s \temp folder. Immediately after this, Darktrace alerts to the device writing mimikatz.exe to the same folder.

    Figure 2: Darktrace flags the device using Mimikatz.

  3. Following this step, multiple .tmp and .txt files appear on the target device, indicating that Mimikatz was proceeding to access passwords and hashes.

The novelty of this AI-powered approach is that it does not rely on a string search for the term “mimikatz.exe”; rather, it highlights the unusual behavior that commonly surrounds Mimikatz’ activity. As shown in the screenshot above, this behavior constitutes “New activity”: Darktrace has not seen this type of SMB activity between the source and the destination before. Moreover, SMBv1 is used — highly unusual for the environment. And finally, it is unusual for devices in the target environment to make SMB network drive writes to Temp folders. All these subtle deviations from the customer’s ‘pattern of life,’ taken together, caused Darktrace to alert on the Mimikatz behavior.

Since its introduction to the cyber-threat landscape, Mimikatz has become a highly effective means for cyber-attackers to move laterally inside corporate and government networks. But by empowering security teams to respond before attackers can plunder a network’s entire cache of passwords, AI cyber defenses are thwarting Mimikatz and its copycats alike.

AI reveals 2018’s biggest cyber-threats: Part two — to err is human

Max Heinemeyer, Director of Threat Hunting | Friday February 8, 2019

For security professionals around the world, it is hardly a secret that cyber-attacks are becoming ever more difficult to detect — incorporating stealthier tactics and even automated elements to breach the network perimeter. Yet despite the increasing sophistication of these threats, the greatest security risk confronting today’s businesses, governments, and nonprofits continues to be their own employees.

Such credentialed network users present a relatively easy avenue into the digital estate for cyber-criminals who manage to deceive them. From banking trojans that are spread using social engineering to cryptocurrency mining carried out by disgruntled workers, the past year witnessed a significant upswing in threats that either exploited the fallibility of employees or which were authored by employees themselves.

By monitoring and analyzing raw traffic from all our clients’ users, internet-connected devices, and cloud deployments, we saw a number of trends emerge in 2018. As the second installment of a two-part series, this article will review specifically those attack trends that involve trickery, subtlety, and the art of deception. Because, as organizations deploy the latest technologies and tools to improve their cyber defenses, the weakest link in our network security is not a machine — it is human.

Banking trojan attacks increased by 239%

Named after the legendary act of Grecian subterfuge, today a trojan horse refers to a malicious computer program that misleads its user of its actual purpose, taking advantage of the fundamental weakness of human error inherent to any security posture. Over the last 12 months, the incidence of banking trojans in particular — which harvest the credentials of online banking customers from infected machines — has increased by a staggering 239% across our customer base.

This dramatic increase may be a consequence of the declining popularity of ransomware for monetary gain: it seems that banking trojans are, at least at present, a more profitable tool for cyber-criminals. Unlike ransomware, banking trojans do not rely on a victim’s conscious willingness to pay; rather, they use deception to perform transactions without the victim’s knowledge. And as the number of ransomware incidents declined in 2018, it seems that subtler attacks have become the weapons of choice for cyber-crime.

The proliferation of banking trojans has been accompanied by a growing sophistication in the malware itself, with many banking trojans having expanded beyond their original target of online banking access. Indeed, advanced trojans like Emotet now deliver other forms of malware as payloads, after using fraudulent emails, online advertisements, and other forms of social engineering to breach the perimeter.

Cryptocurrency-related incidents up 78%

Figure 1: Cryptocurrency values declined precipitously in 2018 after rapid growth.

Alongside the increase in banking trojans, Darktrace detected 78% growth in the frequency of another under-the-radar threat: crypto-jacking. Defined as the secret usage of computing power to mine cryptocurrency, crypto-jacking operates by the opposite logic of ransomware, acting as a parasite on an organization’s computing systems or injecting hidden code into an organization’s web pages. Whereas ransomware attackers demand payment immediately, cryptocurrency miners seek to go unnoticed for as long as possible.

Deceptive threats like banking trojans and crypto-jacking are particularly elusive when they originate from insiders. In one Fortune 500 e-commerce company this year, Darktrace discovered a privileged access user — a disgruntled systems administrator — hijacking power sources from the company’s infrastructure for his own monetary gain. The employee co-opted other users’ credentials and service accounts to stealthily take over multiple machines for the purpose of crypto-mining.

At the same time, the growth rate of cryptocurrency-related threats is less than in the previous year, likely as a result of the dramatic fall in the value of most cryptocurrencies (see Figure 1). But with many experts anticipating these values to bounce back, we expect crypto-jacking to become far more common in the years to come. The cyber-criminal ecosystem still responds to macroeconomic factors, and as payment systems continue to evolve, so too will attackers’ revenue streams.

The weakest link: still people

The rapid escalation of deceptive and subtle threats — from banking trojans that gain access with social engineering to crypto-jacking carried out by insiders to targeted spear phishing emails — is the product of a fundamental flaw with the traditional approach to cyber defense, which entails securing the perimeter against known threats. Indeed, once an employee, maliciously or inadvertently, compromises the network from the inside, protecting the perimeter does little good. And as we look ahead to 2019, a year likely to be even more dominated by deceptive attacks and internal threats, organizations must seek to better understand their own networks to recognize whenever something is, ever so slightly, amiss.

Blog Archive

Friday February 15, 2019
Friday February 8, 2019
Monday February 4, 2019
Monday January 28, 2019
Thursday January 10, 2019
Monday December 3, 2018
Thursday November 22, 2018
Thursday October 25, 2018
Thursday October 4, 2018
Monday August 20, 2018
Monday July 16, 2018
Friday June 22, 2018
Wednesday May 9, 2018
Monday April 16, 2018
Wednesday March 7, 2018
Tuesday February 13, 2018
Friday February 2, 2018
Monday January 22, 2018
Friday December 8, 2017
Monday November 27, 2017
Monday October 30, 2017
Wednesday October 25, 2017
Thursday October 12, 2017
Monday October 2, 2017
Monday September 18, 2017
Monday July 31, 2017
Thursday June 29, 2017
Wednesday June 21, 2017
Wednesday May 17, 2017
Monday May 8, 2017
Wednesday April 5, 2017
Monday March 6, 2017
Monday February 13, 2017
Monday January 30, 2017
Monday January 9, 2017
Friday December 16, 2016
Monday December 5, 2016
Friday November 18, 2016
Friday November 4, 2016
Monday October 24, 2016

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. He has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. He was most recently featured on BBC World, BBC Morning and Al Jazeera to comment on the news regarding the GRU.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.