Mimikatz is a Windows x32/x64 program coded in C. Mimikatz provides a wealth of tools for collecting and making use of Windows credentials on target systems, including retrieval of cleartext passwords, Lan Manager hashes, NTLM hashes, certificates, and Kerberos tickets. The tools run with varying success on all versions of Windows from XP onwards. Mimikatz capability can be leveraged by compiling and running your own version, running the Mimikatz executable, and leveraging the Metasploit script or the official Invoke Mimikatz PowerShell version (multiple PowerShell variants).
- The attacker gains a foothold on the server via an exploitation method.
- The attacker uses Mimikatz on the server to extract credentials, hashes, etc. and to forge Kerberos authentications tickets.
Mimikatz can be used as a post-compromise tool; the attacker must have access to the system. Access can be local or remote. To acquire remote access, the attacker may need to exploit a vulnerability in the system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.