#
Mimikatz
Mimikatz was used to list all available provider credentials using sekurlsa::logonPasswords
and perform Pass-The-Hash via sekurlsa::pth
.
For this scenario, no significant changes were made to the original functionality of Mimikatz.
Source code and pre-built Mimikatz can be downloaded from: https://github.com/gentilkiwi/mimikatz/
#
Dependencies
To build the binary with the following instructions, you will need the following dependencies downloaded and installed:
#
Build Instructions
From the mimikatz folder, run the following command:
"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe" mimikatz.sln /build release
The resulting executable will be found in the x64 folder created during the build process.
This executable should be renamed as m64.exe
and should be copied to Resources/payloads/TwoFace.
#
🔬 CTI Sources
- Unit42's TwoFace Webshell: Persistent Access Point for Lateral Movement
- Unit42's Striking Oil: A Closer Look at Adversary Infrastructure
- Unit42's Oilrig Playbook Viewer
#
🔬 ATT&CK Techniques
While Mimikatz covers a wider range of techniques, the version used in the scenario displayed the following:
- (Step6) T1003.001 - OS Credential Dumping: LSASS Memory
- (Step8) T1550.002 - Use Alternate Authentication Material: Pass the Hash