How Our SOC Team Prevented A Malicious Mimikatz Attack At 2:47 AM

At 2:47 am CST on a Sunday, a critical alert was generated by SpearTip's ShadowSpear Platform. The response team in the 24/7/365 Security Operations Center (SOC) quickly began investigating what appeared to be a Red Team exercise, simply testing the environment. After a brief investigation, it became clear that this was malicious and out of the ordinary. A threat actor was leveraging Mimikatz in pursuit of damaging our partner's environment.

What is Mimikatz?

Mimikatz is an open-source software tool that enables users to access and store authentication credentials. It was developed and launched by an ethical hacker for legitimate purposes but, like many toolsets, has been co-opted by threat actors for malicious purposes. This has become a preferred tool for threat actors because of its ability to evade detection and removal by standard endpoint protection software in most instances. Mimikatz has the uncanny ability to appear innocent as ethical penetration testers utilize the tool to identify and leverage network vulnerabilities, enabling teams to address and remediate these weaknesses.

Because Mimikatz can harvest credentials and steal passwords, it allows threat actors to move laterally more easily within an environment, particularly if they have been performing reconnaissance for some time. With these enhanced capabilities, threat actors have advanced access to endpoints, networks, and business-critical data, including intellectual property and personally identifiable information.

Given the Swiss-Army knife style usage of this ubiquitous software, it can be difficult for legacy AV and detection and response tools to intercept threat actors leveraging Mimikatz in an environment efficiently.

How Our SOC Responded

Once Mimikatz was detected, the SOC team had to read the logs and find the file path, user, and host. Once the team identified this information, they reviewed the SIEM to see if any accounts had been created or modified, passwords were changed, or account privileges were modified on current users. Through this, the SOC quickly confirmed that the suspicious activity was a critical event, not a false positive.

The ShadowSpear Platform did block Mimikatz from running successfully. But the file was still on the host. The team then manually disabled the compromised local admin account to deactivate Mimikatz. The SOC team worked to isolate the host, removed the temporary folder created by the threat actor, disabled the compromised user account, and changed the account's password. The team then alerted the partner of our remediation steps, recommended changing any admin accounts on the machine, and shared this alert with the on-call team to expand internal awareness of the threat.

Our partner was able to continue operations as usual like nothing had happened and with no significant consequences.

Recommendations to Defend Against Mimikatz

Beyond partnering with a 24/7 cybersecurity team to actively monitor your business environment, several steps can be taken to defend against Mimikatz. The first is limiting admin privileges to only a few authorized users who need them. This will limit the overall capabilities of a threat actor leveraging the software. A second recommendation is to disable password-caching, which essentially allows remote workstations to store credentials on local devices in the memory. Mimikatz can access that information, but only if password caching is enabled. An additional best practice is to allow and require multi-factor authentication for all accounts and devices that can access critical and sensitive information.

With new and challenging threats targeting companies with legitimate tools, companies must remain vigilant to?the current threat landscape?and maintain security best practices to secure their digital environment better. At SpearTip, we engage in hundreds of responses to ransomware events annually, helping our partners through the technical aspects of the response. Our certified engineers are continuously working 24/7/365 at our Security Operations Center, monitoring companies' networks for potential malware and ready to respond to incidents immediately. Our remediation experts focus on restoring companies' operations, isolating malware to reclaim their networks, and recovering business-critical assets. There is no better tool than our ShadowSpear Platform's autonomous response capabilities powered by the team of experts in our SOC.