Sunday, March 27, 2016

Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Log Analysis

Still continuing this journey looking into learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit, the focus of this post allows me to get a better understanding of how I may be able to use the mimikatz tool.

So yeah I spent time learning about the tools and what they do. However, are there any signs I may be able to use that may help us detect these activities. The reference section have suggestions for detecting and mitigating some of these activities I performed, more so around the mimikatz side of things. However, along with those I wanted to know what I may be able to detect from my lab.


So here we go .... Blast off!!!!!


When I'm investigating, I typically start with a trigger. Something that I'm aware of that may be the cause of the issue. In this case since I created the issue, I will started with a time window and then remove what I didn't want.


First thing that I detected in the Splunk log was
the strange computer name shown below.















Next I noticed a service with a strange name starting.
















Not only was the name strange but it had what seems to be base64 encoded string and gzip compressed. So I wanted to peek a bit more into this.

I then copied the base64 encoded string and "echo" its value and "|" it into "base64 --decode" then sent this to a file named "services.gz" as shown below.


Next step was to verify the service.gz file was successfully created as shown below. Once it was I performed a "file" on it to verify it was gzip compressed. I wanted to peak at some details about the files so I ran a "gunzip --list" and finally "gunzip" the file. This then created an ASCII file as shown below.


Once this was all done, I now wanted to see what was in the ASCII file so I "cat" the file and found ...

..... it was more code. Time to move on for now as the objective of this post was not to analyze the code. However, by analyzing this code an analyst can get a better understanding of what the code is trying to do.


Something else that caught my attention was the starting and eventual running of the Volume Shadow Copy Service as shown below.


Do remember that in order for Metasploit to grab the database, it needed to start the service as it was not running. So this may be something to look for to see if Volume Shadow Copy service is being started on your Domain Controllers.

I then saw the "ntds.dit" location was changed. Another cause for concern?

The next image was also of concern to me because I know the conhost service is the one I migrated to. Therefore, I take it this service was responsible for initating the copy. Maybe in a future post I can look at the process or user who is responsible for starting this service. However, for now I know I migrated to the conhost process, so it's quite likely why I'm seeing this activity under this process.
Ok then, I'm not trying to make this post too long. However, the rest of the information which can be found in the reference section can help in detecting mimkatz and or its activities.

This post was just for me to see what else I may be able to see about my activities other than what was shown in the reference documents.



Reference:
http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
https://adsecurity.org/?p=1275



Posts in this series:
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Lab Setup
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Dumping the AD database
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Mimikatz
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Exporting Certificates
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Pass The Ticket (Golden Ticket)
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Skeleton Key
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Log Analysis
Learning about Mimikatz, SkeletonKey, Dumping NTDS.dit and Kerberos with Metasploit - Volatility Memory Analysis

No comments:

Post a Comment