Mimikatz provides attackers several different ways to store credentials from memory and extract them from Active Directory. One of the more interesting tools provided is the MemSSP command, which will register a Security Support Provider (SSP) on a Windows host. Once registered, this SSP will log all passwords in clear text for any users who log on locally to that system. In this post, we will explore this attack and how it can be used by attackers to elevate their privileges.
This attack can be performed against a Windows member server or domain controller. Let’s look at some of the reasons an attacker may want to register a malicious SSP on a computer:
In any of these scenarios this attack can be very effective.
Performing this attack is very simple. For this post, let’s focus on the attacks that target a domain controller. Let’s assume we have compromised a Domain Admin account and wish to inject a malicious SSP into memory. All we need to do is issue the misc::memssp command within Mimikatz.
Now the SSP is injected into memory. If the DC is rebooted, it will be lost and have to be injected again. This can be solved by registering a DLL as an SSP that is provided with Mimikatz.
Once the SSP is registered, all users who log on to the DC, and all local services will log their passwords to the c:WindowsSystem32mimilsa.log file.
That file will contain the clear text passwords for all users who have logged on and service accounts running on the system.
This can be a difficult attack to detect. Looking for the existence of the mimilsa.log file would be a good check to run on DCs to see if any compromise has already taken place.
The following PowerShell will connect to every domain controller in the current domain and check for the existence of the mimilsa.log file. Hopefully, this comes back empty.
The best prevention is to limit and monitor all Domain Admin members to prevent those accounts from compromise by an attacker.
How Attackers Are Stealing Your Credentials with Mimikatz:
Jeff Warren is Stealthbits’ General Manager of Products. Jeff has held multiple roles within the Technical Product Management group since joining the organization in 2010, initially building Stealthbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining Stealthbits – now part of Netwrix, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering Stealthbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!
Read more© 2022 Stealthbits Technologies, Inc.
Thanks for sharing this informative post. I haven’t heard about this attacks before. But, it is very harmful and stealing all the windows users credentials. Thanks for awarning from this attacks.