401d8 read42 - carlosjorr/reading-notes GitHub Wiki

Name the six credential-gathering techniques which Mimikatz is able to perform and explain how two of them work.

Pass-the-Hash (PtH):

Explanation: In a PtH attack, Mimikatz extracts hashed user credentials (e.g., NTLM or LM hashes) from a compromised system's memory. Instead of cracking the hashes, the attacker can use them directly for authentication, allowing them to move laterally within a network without needing the actual plaintext passwords. Pass-the-Ticket (PtT):

Explanation: PtT is a technique where Mimikatz extracts Kerberos ticket-granting tickets (TGTs) and service tickets (TGSs) from memory. These tickets can be used to impersonate users and access network resources without needing to know the user's password. The attacker essentially "passes" these tickets for authentication. Overpass-the-Hash (Pass-the-Key):

Explanation: This attack focuses on extracting and using Kerberos keys (RC4 keys) stored in memory. These keys are used for encryption and decryption of Kerberos tickets. By obtaining these keys, an attacker can impersonate users and access network resources as if they had the user's password. Pass-the-Certificate (PtC):

Explanation: PtC involves extracting X.509 certificates and their private keys from memory. Attackers can then use these certificates to authenticate to services and systems, often bypassing traditional password-based authentication. Pass-the-LM-Hash:

Explanation: Similar to PtH, this technique targets the less secure LM (Lan Manager) hashes, which were used in older Windows password storage systems. Attackers can extract and use LM hashes for authentication, and these hashes are relatively easy to crack. Pass-the-Hash for Windows Cached Credentials:

Explanation: Windows stores hashed credentials of previously logged-in users as cached credentials. Attackers can extract these cached hashes and use them for offline attacks, such as password cracking.

What are four ways we can defend against Mimikatz attacks. Explain how two of the mitigations can stop Mimikatz.

Use Credential Guard:

Explanation: Windows Credential Guard is a security feature in Windows 10 and later versions that uses virtualization-based security to isolate and protect LSASS (Local Security Authority Subsystem Service) memory. It prevents access to LSASS memory by unauthorized processes, making it extremely difficult for Mimikatz to extract credentials from this critical component. Implement LSA Protection (Protected Process Light):

Explanation: LSA (Local Security Authority) Protection restricts access to LSASS memory. When enabled, only trusted system processes are allowed to access and modify LSASS memory, preventing unauthorized access by tools like Mimikatz. Enforce Strong Password Policies:

Explanation: Strong password policies, including long and complex passwords, password rotation, and account lockout policies, can make it more challenging for attackers to crack or use stolen credentials effectively. Monitor for Anomalous Behavior:

Explanation: Implementing robust monitoring and anomaly detection mechanisms can help detect suspicious activities, such as repeated login failures, unusual authentication patterns, or unauthorized access attempts. Early detection can lead to timely response and mitigation.