Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update T1003.yaml Dumping Credentials using Mimikatz #2661

Closed
wants to merge 6 commits into from
Closed

Update T1003.yaml Dumping Credentials using Mimikatz #2661

wants to merge 6 commits into from

Conversation

prashanthpulisetti
Copy link
Contributor

Atomic Test #7 - Dumping Credentials using Mimikatz with AMSI Bypass

Demonstrates the capability of Mimikatz to extract credentials from memory, including an AMSI bypass technique.

Details

This atomic test focuses on using Mimikatz, a well-known tool in the cybersecurity community, for extracting credentials stored in memory. Mimikatz is capable of extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory. This test is designed to help security teams understand and detect Mimikatz usage within their environment.

In addition to the standard Mimikatz execution, this test includes a script to bypass the Anti-Malware Scan Interface (AMSI) in Windows. This AMSI bypass technique is a common tactic used by attackers to evade detection and is crucial for security teams to understand and recognize.

Executor

The test is executed via the command prompt with elevated privileges and involves the following steps:

  1. Running a PowerShell script to bypass AMSI.
  2. Downloading and executing Mimikatz to dump credentials.
  3. Saving the extracted credentials to a specified file.

Testing

Testing should be carried out in a controlled environment due to the nature of the tools and techniques used.

  • Environment: Windows system with administrative privileges.
  • Procedure:
    1. Ensure the prerequisites are met (administrative privileges, Mimikatz download, AMSI bypass script).
    2. Execute the atomic test as defined in the YAML file.
    3. Verify that credentials are successfully dumped and stored in the output file.
    4. Observe and note any detections or alerts triggered by security tools.

Security teams are encouraged to use this test to enhance their detection capabilities against tools like Mimikatz and techniques like AMSI bypass.

Associated Issues

NA

@prashanthpulisetti
Update T1003.yaml Dumping Credentials using Mimikatz
bbeb192 
Demonstrates the capability of Mimikatz to extract credentials from memory, including an AMSI bypass technique.
@prashanthpulisetti
Update T1003.yaml
82c549e
@prashanthpulisetti
Update T1003.yaml
b810416 
updated indentations
clr2of8
clr2of8 requested changes Jan 20, 2024
View reviewed changes
Copy link
Collaborator

@clr2of8 clr2of8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would like to keep that atomic tests small. We have atomics that do amsi bypasses and atomics that run mimikatz, which sufficiently covers what is done here. Users wishing to run mimikats with amsi bypass can execute the two atomics back to back. Thank you for your efforts though.

@clr2of8 clr2of8 closed this Jan 20, 2024
@prashanthpulisetti prashanthpulisetti deleted the patch-9 branch January 20, 2024 05:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clr2of8 clr2of8 clr2of8 requested changes

Assignees

@MHaggis MHaggis

@clr2of8 clr2of8

Labels
windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@prashanthpulisetti @clr2of8 @MHaggis