• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Mitigating Mimikatz (or something like it)

J

JBT

Lifer
What are you all doing to mitigate the tool mimikatz or something like it? (Lets face it AV might pick it up but something else could easily be built and re deployed)

Mimikatz is able to pull clear text passwords from Windows XP-Windows 8 (and server) for interactively logged on users.

The "fix" is to remove SPP's from the CredSSP list like Msv, tspkg, wdigest, Kerberos, and LiveSSP. Some are removable able but Kerberos for example isn't in a Domain environment.

To mitigate this obviously limit interactive logins to servers and clients, but if there is a service account running there isn't much you can do other than limit the Service accounts access and make sure Administrative users log off the system. So other than forcing a log off on on idle sessions what can we do? Ideas?
 
If you're trying to prevent employees from dumping credentials using Mimikatz, then forcing them to use non-administrator accounts would also prevent Mimikatz from working. I believe Mimikatz requires the SeDebugPrivilege, so for it to work it needs to be run as administrator or another user with escalated privileges.

If you're trying to prevent an attacker that has already successfully escalated to admin privileges on one of your boxes, then you're already owned, and you're going to have a hard time mitigating that kind of threat. Application Whitelisting might help, but a user with admin privs might be able to circumvent it. Not to mention that App Whitelisting is a pain in the ass and requires a significant amount of resources (people, time, money). (edit: I'm not dissing App Whitelisting. From a purely security perspective, I think it's an excellent solution. But many businesses can't devote the resources to it that it requires.)
 
Last edited:
Debug privilege is not enough, all SYSTEM process can do the same without this privilege.
If an attacker compromise a service, or elevate to SYSTEM, it can access passwords without Debug privilege.

At this time, to "protect" yourself, you can use SmartCard for login, or use Windows 8.1.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top