Automating Mimikatz with Empire and DeathStar

Automating Mimikatz with Empire and DeathStar

Automating Mimikatz

Mimikatz is a very powerful post-exploitation tool on its own, allowing attackers to harvest credentials and move laterally through a compromised organization. However, there are also several limitations to what Mimikatz can do by itself:

  • If you have compromised a machine but do not have Administrator rights, you can’t access any credentials
  • If PowerShell protections are enabled, Mimikatz can be easily prevented
  • Stealing credentials and figuring out where they work can be a long and arduous process

This is why other toolkits have been created that leverage Mimikatz as a component of a post-exploitation framework. Empire is one such toolkit attackers can use to more efficiently compromise your credentials and bypass traditional security controls.

What is Empire?

Empire uses PowerShell agents that can be deployed to compromised machines to execute attacks ranging from privilege escalation, credential theft and lateral movement (using Mimikatz), and persistence. It also provides several ways to bypass traditional security controls. Empire runs on Linux and communicates with the deployed agents in several ways, such as over HTTP. I don’t cover the full installation process of Empire in this post, but a great tutorial can be found here. Let’s take a closer look at some of the benefits to using Empire.

Agent Management

Empire gives you a really simple interface to manage and interact with dozens of agents. To create a new agent, all you have to do is run a batch file on a compromised machine, which will connect to Empire over the predetermined listener (e.g. http). Empire lets you monitor where you have agents and how those agents are configured. From there you just need to choose which agent to interact with and what commands to issue. It is all done remotely and using http with a configurable port, so it is easy to do and hard to prevent. Empire manages agents on compromised machines by issuing commands remotely using http with a configurable port

Credentials

Empire also makes it very easy to steal and use credentials across all of the agents. This part uses Mimikatz, and gives you a couple of ways to steal the credentials. By executing the Mimikatz command, Empire will dump all passwords and password hashes from memory. Also, Empire supports DCSync to steal credentials from domains by impersonating a domain controller and asking for replication of password data.

You can see by executing the Mimikatz command in Empire, it will issue the sekurlsa::logonpasswords command on the agent. Mimikatz command within Empire, stealing credentials from the servers running Empire agents

Also, you can easily issue the DCSync command to get credentials not stored on the compromised machine, such as the krbtgt account. Issue the DCSync command lsadump::dcsync with Mimikatz in Empire to get credentials not stored on the compromised machine like the krbtgt account

My favorite part is that all the credentials come back packaged up nice and neat in a table so you can easily see what you’ve collected using the creds command: DCSync within Empire steals credentials by executing the Mimikatz command to issue logonpasswords on an agent and see what you have collected using creds

This includes clear text passwords and NTLM hashes.

From there, you can also easily perform a pass-the-hash attack using the pth command and the CredID you are interested in: Perform a pass-the-hash attack using the pth command sekurlsa::pth by executing the Mimikatz command in Empire

Privilege Escalation

Limiting who has Administrator rights to a system is the best way to keep attackers from stealing credentials. Without admin rights, Mimikatz won’t work. However, there are several ways to go from regular user to admin using privilege escalation techniques. Empire packages several privilege escalation modules including:

  • BypassUAC – Basically gives the attacker a way to do “Run as Administrator” on their process
  • PowerUp – Checks for several exploitable vulnerabilities on Windows that can escalate privileges to administrator. This is available as part of PowerSploit.
  • GPP – Looks for clear text passwords stored in Group Policy Preferences that can be stolen and used to elevate privileges.

By running the module “powerup/allchecks” within Empire, it will scan the compromised systems for any and all vulnerabilities that can be exploited. Running this against my environment found a DLL hijacking scenario, which I can use to go from a regular user to an Administrator. And, if you couldn’t have guessed it, Empire can automate the exploitation of that vulnerability as well using the “powerup/write_dllhijacker” command. Run privesc/powerup/allchecks (PowerSploit) in Empire to scan compromised systems and automate exploiting vulnerabilities with powerup/write_dllhijacker

Avoiding Detection

Empire also provides ways to avoid detection while performing these attacks such as process injection. This will be covered in more detail in later posts in this series.

Automating Domain Compromise with DeathStar

Empire takes Mimikatz and packages it with other post-exploitation attacks to make it easier, more powerful, and harder to detect. DeathStar is another tool developed on top of Empire that provides automation of domain compromise. Installing DeathStar gives you a custom “listener” in Empire which is a modified http listener. Once you build and deploy an agent with this listener, it will connect to DeathStar and begin to automatically map out an attack path using the same approaches that BloodHound uses. Then, it will actually perform the credential theft and lateral movement until it compromises a Domain Admin account.

DeathStar will use the modules of Empire to perform recon, lateral movement, and domain compromise without the attacker having to do anything but sit back and wait.

Here is DeathStar in action. DeathStar is a tool developed on top of Empire that automates domain compromise through mapping out an attack path using the same approaches as BloodHound

In the next post, we will be looking at CrackMapExec, another tool by the author of DeathStar.

Post #2 – Lateral Movement with CrackMapExec Read Now
Post #3 – Ways to Detect and Mitigate These Attacks Read Now
Post #4 – How Attackers Are Bypassing These Protections Read Now

To watch the Mimkatz Attacks webinar, please click here.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other