One of the latest threats to rock the cyber-word is the Mimikatz threat that adds more then a pep in the relentless and rapid strides of the hacker community.
In cyber circles hacking is classified into two distinct categories of black hat hackers and white hat hackers. The former are criminal hackers while the latter are ethical hackers. Operational methodology for both these classes of hackers is pretty much the same. The only difference being that white hat hackers attack systems to identify loopholes and vulnerabilities whereas the black hats use it for malicious purposes.
Ethical hackers achieve their purpose through a process called penetrative testing whereby physical infrastructure and personnel are subjected to a controlled hacking routine or scenario. It is imperative to ensure that such hacking does not cause any actual harm to the systems in its quest for strengthening them. This warrants caution, and guidelines to be adhered to, while using specialized hacking tools for this purpose. However, the same tools can also be used for malicious purposes by black hat hackers. Eventually it all boils down to the manner in which the tools are used that defines their eventual affects. One such tool favored by both categories of hackers is called the Mimikatz.
The Mimikatz is an extremely powerful password extraction tool which was created by a malware developer who bundled it into the NotPetya malware – an encrypting ransomware targeting Windows based operating systems.
The Mimikatz is a password stealing tool that can lift this information from system memory, even though it might be hidden from a hash, or stashed away in a Kerberos compatible domain such as the Microsoft Active Directory Domain Controller. This tool is now readily available over the internet as a standalone application that may be used for any purpose.
The Mimikatz is designed specifically for Windows based operating systems earlier than Windows 10. Password extraction relies on locating the decryption key in computer memory which is then used to decrypt the encrypted password. A way of scanning for passwords is by creating a memory dump in a separate file and then look for required data.
The main defense against a Mimikatz attack is subvert the memory dumping feature of the tool. In Windows 8 this is achieved by disabling the WDigest feature which is exploited by the Mimikatz tool for memory dumps. This, however, is a system administrator privilege, a fact most are usually unaware of. This leaves the WDigest feature enabled by default and open to exploitation.
Windows 10 addressed this issue by disabling WDigest by default. Despite this measure, the Mimikatz tool is powerful enough to tweak the registry, using administrator rights, and enable the WDigest on the go.
Microsoft proposes SeDebugPrivilege service to be disabled. This is a system service handling debug functions in Windows, a feature not used by common users. This feature should be disabled for systems that are not running any development routines and solely being used for common office applications. This inhibits reading of memory contents by Mimikatz for decrypted contents on the fly. Even this practice is not completely tamper-proof and can be modified by Mimikatz.
Keeping these vulnerability in mind, organizations and businesses should be cognizant of the inherent dangers posed by this tool and should take appropriate measures to ward off this ever-evolving threat, whose many variants, not yet discovered, may already be out there.