Blog
/
No items found.
/
February 14, 2019
No items found.

Catching Mimikatz Behavior with Anomaly Detection Defense

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
14
Feb 2019
Detect and prevent Mimikatz cyber attacks with AI anomaly detection. Read more to learn how cyber defenses can stop Mimikatz and its variants in their tracks.

Originally created by famed French programmer Benjamin Delpy to highlight security flaws in Windows authentication mechanisms, today Mimikatz is a staple post-exploitation module in the arsenal of cyber-criminals, since it facilitates lateral movement across a victim’s network. Mimikatz was a primary feature of the global ransomware attacks NotPetya and BadRabbit, in addition to the alleged Russian hacking of the German parliament in 2015 and 2017.

Among the primary vulnerabilities that Mimikatz exploits is Windows’ Local Security Authority Subsystem Service (LSASS), which is designed to obviate the need for users to reauthenticate every time they seek to access internal resources. Despite its clear utility, LSASS works by keeping a cache of every credential used since the last boot, presenting an obvious security risk in the event the cache is compromised. Broadly speaking, Mimikatz plunders this resource and allows users to access cleartext passwords as well as NTLM hashes. With this data in hand, threat actors are able to conduct the following attacks:

  • Kerberos Golden Ticket: Provides administrative credentials for the whole domain.
  • Pass-the-Ticket: Enables a user to pass a Kerberos ticket to a second device and login using this ticket.
  • Kerberos Silver Ticket: Provides a TGS ticket to log into any network service.
  • Pass-the-Hash: Allows a user to pass a hash string in order to login.

Dumping LSASS memory is just one method that Mimikatz and its many updated versions employ to harvest credentials. Indeed, once malware such as NotPetya has established itself on single device, the Mimikatz module can exploit a variety of security flaws to obtain the password information for any other users or computers that have logged onto that machine: a key step for both lateral movement and privilege escalation. Like many successful hacker tools, Mimikatz has inspired the creation of other programs with similar aims, which are largely intended to circumvent antivirus controls.

Using AI to end the cat-and-mouse game

At the most basic level, security teams can reduce vulnerability to Mimikatz and to lateral movement more generally by ensuring that each user has the minimum amount of privileges needed for his or her role. But while this measure is certainly prudent, it will not always be effective — especially when dealing with sophisticated threats. Another strategy is to implement endpoint security tools and anti-virus software, which rely on rules and signatures to detect known Mimikatz variants. However, as Mimikatz and its copycats continue to evolve, these traditional tools are locked in a ceaseless cat-and-mouse game, unable to spot unknown variants of Mimikatz that are designed to circumvent them.

As a fundamentally different approach to security, artificially intelligent systems like Darktrace avoid this cat-and-mouse game by learning what constitutes normal behavior for the users and devices they safeguard while “on the job,” rather than using fixed rules and signatures. This approach alerts defenders to any anomalous activity, regardless of whether such activity constitutes a known or unknown threat. Typically, lateral movement involving Mimikatz will involve a spike in unusual SMB activity, as attackers seek to write the tool to target devices. The following recent attack on a Darktrace customer highlights how AI can allow security teams to quickly detect and respond to such lateral movement involving Mimikatz:

  1. Darktrace alerts to a non-domain joined Linux device appearing on the customer’s network and engaging in extensive SMB bruteforce activity against key servers.
  1. Figure 1: Darktrace detects the spike in SMB activity.
  2. Darktrace flags the device successfully logging into a server using administrative credentials via SMBv1, opening the \sect pipe and writing the suspicious and likely malicious file Syssvc.exe to the server’s \temp folder. Immediately after this, Darktrace alerts to the device writing mimikatz.exe to the same folder.
  1. Figure 2: Darktrace flags the device using Mimikatz.
  2. Following this step, multiple .tmp and .txt files appear on the target device, indicating that Mimikatz was proceeding to access passwords and hashes.

The novelty of this AI-powered approach is that it does not rely on a string search for the term “mimikatz.exe”; rather, it highlights the unusual behavior that commonly surrounds Mimikatz’ activity. As shown in the screenshot above, this behavior constitutes “New activity”: Darktrace has not seen this type of SMB activity between the source and the destination before. Moreover, SMBv1 is used — highly unusual for the environment. And finally, it is unusual for devices in the target environment to make SMB network drive writes to Temp folders. All these subtle deviations from the customer’s ‘pattern of life,’ taken together, caused Darktrace to alert on the Mimikatz behavior.

Since its introduction to the cyber-threat landscape, Mimikatz has become a highly effective means for cyber-attackers to move laterally inside corporate and government networks. But by empowering security teams to respond before attackers can plunder a network’s entire cache of passwords, AI cyber defenses are thwarting Mimikatz and its copycats alike.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

November 28, 2024

/

Cloud

Cloud security: addressing common CISO challenges with advanced solutions

Default blog imageDefault blog image

Cloud adoption is a cornerstone of modern business with its unmatched potential for scalability, cost efficiency, flexibility, and net-zero targets around sustainability. However, as organizations migrate more workloads, applications, and sensitive data to the cloud it introduces more complex challenges for CISO’s. Let’s dive into the most pressing issues keeping them up at night—and how Darktrace / CLOUD provides a solution for each.

1. Misconfigurations: The Silent Saboteur

Misconfigurations remain the leading cause of cloud-based data breaches. In 2023 alone over 80%  of data breaches involved data stored in the cloud.1  Think open storage buckets or overly permissive permissions; seemingly minor errors that are easily missed and can snowball into major disasters. The fallout of breaches can be costly—both financially and reputationally.

How Darktrace / CLOUD Helps:

Darktrace / CLOUD continuously monitors your cloud asset configurations, learning your environment and using these insights to flag potential misconfigurations. New scans are triggered when changes take place, then grouped and prioritised intelligently, giving you an evolving and prioritised view of vulnerabilities, best practice and mitigation strategies.

2. Hybrid Environments: The Migration Maze

Many organizations are migrating to the cloud, but hybrid setups (where workloads span both on-premises and cloud environments) create unique challenges and visibility gaps which significantly increase complexity. More traditional and most cloud native security tooling struggles to provide adequate monitoring for these setups.

How Darktrace / CLOUD Helps:

Provides the ability to monitor runtime activity for both on-premises and cloud workloads within the same user interface. By leveraging the right AI solution across this diverse data set, we understand the behaviour of your on-premises workloads and how they interact with cloud systems, spotting unusual connectivity or data flow activity during and after the migration process.

This unified visibility enables proactive detection of anomalies, ensures seamless monitoring across hybrid environments, and provides actionable insights to mitigate risks during and after the migration process.

3. Securing Productivity Suites: The Last Mile

Cloud productivity suites like Microsoft 365 (M365) are essential for modern businesses and are often the first step for an organization on a journey to Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) use cases. They also represent a prime target for attackers. Consider a scenario where an attacker gains access to an M365 account, and proceeds to; access sensitive emails, downloading files from SharePoint, and impersonating the user to send phishing emails to internal employees and external partners. Without a system to detect these behaviours, the attack may go unnoticed until significant damage is done.

How Darktrace helps:

Darktrace’s Active AI platform integrates with M365 and establishes an understanding of normal business activity, enabling the detection of abnormalities across its suite including Email, SharePoint and Teams. By identifying subtle deviations in behaviour, such as:

   •    Unusual file accesses

   •    Anomalous login attempts from unexpected locations or devices.

   •    Suspicious email forwarding rules created by compromised accounts.

Darktrace’s Autonomous Response can act precisely to block malicious actions, by disabling compromised accounts and containing threats before they escalate. Precise actions also ensure that critical business operations are maintained even when a response is triggered.  

4. Agent Fatigue: The Visibility Struggle

To secure cloud environments, visibility is critical. If you don’t know what’s there, how can you secure it? Many solutions require agents to be deployed on every server, workload, and endpoint. But managing and deploying agents across sprawling hybrid environments can be both complex and time-consuming when following change controls, and especially as cloud resources scale dynamically.

How Darktrace / CLOUD Helps:

Darktrace reduces or eliminates the need for widespread agent deployment. Its agentless by default, integrating directly with cloud environments and providing instant visibility without the operational headache. Darktrace ensures coverage with minimal friction. By intelligently graphing the relationships between assets and logically grouping your deployed Cloud resources, you are equipped with real-time visibility to quickly understand and protect your environment.

So why Darktrace / CLOUD?

Darktrace’s Self-Learning AI redefines cloud security by adapting to your unique environment, detecting threats as they emerge, and responding in real-time. From spotting misconfigurations to protecting productivity suites and securing hybrid environments. Darktrace / CLOUD simplifies cloud security challenges without adding operational burdens.

From Chaos to Clarity

Cloud security doesn’t have to be a game of endless whack-a-mole. With Darktrace / CLOUD, CISOs can achieve the visibility, control, and proactive protection they need to navigate today’s complex cloud ecosystems confidently.

[1] https://hbr.org/2024/02/why-data-breaches-spiked-in-2023

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security

Blog

/

November 27, 2024

/

Inside the SOC

Behind the veil: Darktrace's detection of VPN exploitation in SaaS environments

Default blog imageDefault blog image

Introduction

In today’s digital landscape, Software-as-a-Service (SaaS) platforms have become indispensable for businesses, offering unparalleled flexibly, scalability, and accessibly across locations. However, this convenience comes with a significant caveat - an expanded attack surface that cyber criminals are increasingly exploiting. In 2023, 96.7% of organizations reported security incidents involving at least one SaaS application [1].

Virtual private networks (VPNs) play a crucial role in SaaS security, acting as gateways for secure remote access and safeguarding sensitive data and systems when properly configured. However, vulnerabilities in VPNs can create openings for attacks to exploit, allowing them to infiltrate SaaS environments, compromise data, and disrupt business operations. Notably, in early 2024, the Darktrace Threat Research team investigated the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPNs, which would allow threat actors to gain access to sensitive systems and execute remote code.

More recently, in August, Darktrace identified a SaaS compromise where a threat actor logged into a customer’s VPN from an unusual IP address, following an initial email compromise. The attacker then used a separate VPN to create a new email rule designed to obfuscate the phishing campaign they would later launch.

Attack Overview

The initial attack vector in this case appeared to be through the customer’s email environment. A trusted external contact received a malicious email from another mutual contact who had been compromised and forwarded it to several of the organization’s employees, believing it to be legitimate. Attackers often send malicious emails from compromised accounts to their past contacts, leveraging the trust associated with familiar email addresses. In this case, that trust caused an external victim to unknowingly propagate the attack further. Unfortunately, an internal user then interacted with a malicious payload included in the reply section of the forwarded email.

Later the same day, Darktrace / IDENTITY detected unusual login attempts from the IP 5.62.57[.]7, which had never been accessed by other SaaS users before. There were two failed attempts prior to the successful logins, with the error messages “Authentication failed due to flow token expired” and “This occurred due to 'Keep me signed in' interrupt when the user was signing in.” These failed attempts indicate that the threat actor may have been attempting to gain unauthorized access using stolen credentials or exploiting session management vulnerabilities. Furthermore, there was no attempt to use multi-factor authentication (MFA) during the successful login, suggesting that the threat actor had compromised the account’s credentials.

Following this, Darktrace detected the now compromised account creating a new email rule named “.” – a telltale sign of a malicious actor attempting to hide behind an ambiguous or generic rule name.

The email rule itself was designed to archive incoming emails and mark them as read, effectively hiding them from the user’s immediate view. By moving emails to the “Archive” folder, which is not frequently checked by end users, the attacker can conceal malicious communications and avoid detection. The settings also prevent any automatic deletion of the rules or forced overrides, indicating a cautious approach to maintaining control over the mailbox without raising suspicion. This technique allows the attacker to manipulate email visibility while maintaining a façade of normality in the compromised account.

Email Rule:

  • AlwaysDeleteOutlookRulesBlob: False
  • Force: False
  • MoveToFolder: Archive
  • Name: .
  • MarkAsRead: True
  • StopProcessingRules: True

Darktrace further identified that this email rule had been created from another IP address, 95.142.124[.]42, this time located in Canada. Open-source intelligence (OSINT) sources indicated this endpoint may have been malicious [2].

Given that this new email rule was created just three minutes after the initial login from a different IP in a different country, Darktrace recognized a geographic inconsistency. By analyzing the timing and rarity of the involved IP addresses, Darktrace identified the likelihood of malicious activity rather than legitimate user behavior, prompting further investigation.

Figure 1: The compromised SaaS account making anomalous login attempts from an unusual IP address in the US, followed by the creation of a new email rule from another VPN IP in Canada.

Just one minute later, Darktrace observed the attacker sending a large number of phishing emails to both internal and external recipients.

Figure 2: The compromised SaaS user account sending a high volume of outbound emails to new recipients or containing suspicious content.

Darktrace / EMAIL detected a significant spike in inbound emails for the compromised account, likely indicating replies to phishing emails.

Figure 3: The figure demonstrates the spike in inbound emails detected for the compromised account, including phishing-related replies.

Furthermore, Darktrace identified that these phishing emails contained a malicious DocSend link. While docsend[.]com is generally recognized as a legitimate file-sharing service belonging to Dropbox, it can be vulnerable to exploitation for hosting malicious content. In this instance, the DocSend domain in question, ‘hxxps://docsend[.]com/view/h9t85su8njxtugmq’, was flagged as malicious by various OSINT vendors [3][4].

Figure 4: Phishing emails detected containing a malicious DocSend link.

In this case, Darktrace Autonomous Response was not in active mode in the customer’s environment, which allowed the compromise to escalate until their security team intervened based on Darktrace’s alerts. Had Autonomous Response been enabled during the incident, it could have quickly mitigated the threat by disabling users and inbox rules, as suggested by Darktrace as actions that could be manually applied, exhibiting unusual behavior within the customer’s SaaS environment.

Figure 5: Suggested Autonomous Response actions for this incident that required human confirmation.

Despite this, Darktrace’s Managed Threat Detection service promptly alerted the Security Operations Center (SOC) team about the compromise, allowing them to conduct a thorough investigation and inform the customer before any further damage could take place.

Conclusion

This incident highlights the role of Darktrace in enhancing cyber security through its advanced AI capabilities. By detecting the initial phishing email and tracking the threat actor's actions across the SaaS environment, Darktrace effectively identified the threat and brought it to the attention of the customer’s security team.

Darktrace’s proactive monitoring was crucial in recognizing the unusual behavior of the compromised account. Darktrace / IDENTITY detected unauthorized access attempts from rare IP addresses, revealing the attacker’s use of a VPN to hide their location.

Correlating these anomalies allowed Darktrace to prompt immediate investigation, showcasing its ability to identify malicious activities that traditional security tools might miss. By leveraging AI-driven insights, organizations can strengthen their defense posture and prevent further exploitation of compromised accounts.

Credit to Priya Thapa (Cyber Analyst), Ben Atkins (Senior Model Developer) and Ryan Traill (Analyst Content Lead)

Appendices

Real-time Detection Models

  • SaaS / Compromise / Unusual Login and New Email Rule
  • SaaS / Compromise / High Priority New Email Rule
  • SaaS / Compromise / New Email Rule and Unusual Email Activity
  • SaaS / Compromise / Unusual Login and Outbound Email Spam
  • SaaS / Compliance / Anomalous New Email Rule
  • SaaS / Compromise / Suspicious Login and Suspicious Outbound Email(s)
  • SaaS / Email Nexus / Possible Outbound Email Spam

Autonomous Response Models

  • Antigena / SaaS / Antigena Email Rule Block
  • Antigena / SaaS / Antigena Enhanced Monitoring from SaaS User Block
  • Antigena / SaaS / Antigena Suspicious SaaS Activity Block

MITRE ATT&CK Mapping

Technique Name Tactic ID Sub-Technique of

  • Cloud Accounts. DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS T1078.004 T1078
  • Compromise Accounts RESOURCE DEVELOPMENT T1586
  • Email Accounts RESOURCE DEVELOPMENT T1586.002 T1586
  • Internal Spearphishing LATERAL MOVEMENT T1534 -
  • Outlook Rules PERSISTENCE T1137.005 T1137
  • Phishing INITIAL ACCESS T1566 -

Indicators of Compromise (IoCs)

IoC – Type – Description

5.62.57[.]7 – Unusual Login Source

95.142.124[.]42– IP – Unusual Source for Email Rule

hxxps://docsend[.]com/view/h9t85su8njxtugmq - Domain - Phishing Link

References

[1] https://wing.security/wp-content/uploads/2024/02/2024-State-of-SaaS-Report-Wing-Security.pdf

[2] https://www.virustotal.com/gui/ip-address/95.142.124.42

[3] https://urlscan.io/result/0caf3eee-9275-4cda-a28f-6d3c6c3c1039/

[4] https://www.virustotal.com/gui/url/8631f8004ee000b3f74461e5060e6972759c8d38ea8c359d85da9014101daddb

Continue reading
About the author
Priya Thapa
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI