Mimikatz is a very powerful post-exploitation tool on its own, allowing attackers to harvest credentials and move laterally through a compromised organization. However, there are also several limitations to what Mimikatz can do by itself:
- If you have compromised a machine but do not have Administrator rights, you can’t access any credentials
- If PowerShell protections are enabled, Mimikatz can be easily prevented
- Stealing credentials and figuring out where they work can be a long and arduous process
This is why other toolkits have been created that leverage Mimikatz as a component of a post-exploitation framework. Empire is one such toolkit attackers can use to more efficiently compromise your credentials and bypass traditional security controls.
What is Empire?
Empire uses PowerShell agents that can be deployed to compromised machines to execute attacks ranging from privilege escalation, credential theft and lateral movement (using Mimikatz), and persistence. It also provides several ways to bypass traditional security controls. Empire runs on Linux and communicates with the deployed agents in several ways, such as over HTTP. I don’t cover the full installation process of Empire in this post, but a great tutorial can be found here. Let’s take a closer look at some of the benefits to using Empire.
Empire gives you a really simple interface to manage and interact with dozens of agents. To create a new agent, all you have to do is run a batch file on a compromised machine, which will connect to Empire over the predetermined listener (e.g. http). Empire lets you monitor where you have agents and how those agents are configured. From there you just need to choose which agent to interact with and what commands to issue. It is all done remotely and using http with a configurable port, so it is easy to do and hard to prevent.
Empire also makes it very easy to steal and use credentials across all of the agents. This part uses Mimikatz, and gives you a couple of ways to steal the credentials. By executing the Mimikatz command, Empire will dump all passwords and password hashes from memory. Also, Empire supports DCSync to steal credentials from domains by impersonating a domain controller and asking for replication of password data.
You can see by executing the Mimikatz command in Empire, it will issue the sekurlsa::logonpasswords command on the agent.
Also, you can easily issue the DCSync command to get credentials not stored on the compromised machine, such as the krbtgt account.
My favorite part is that all the credentials come back packaged up nice and neat in a table so you can easily see what you’ve collected using the creds command:
This includes clear text passwords and NTLM hashes.
From there, you can also easily perform a pass-the-hash attack using the pth command and the CredID you are interested in:
Limiting who has Administrator rights to a system is the best way to keep attackers from stealing credentials. Without admin rights, Mimikatz won’t work. However, there are several ways to go from regular user to admin using privilege escalation techniques. Empire packages several privilege escalation modules including:
- BypassUAC – Basically gives the attacker a way to do “Run as Administrator” on their process
- PowerUp – Checks for several exploitable vulnerabilities on Windows that can escalate privileges to administrator. This is available as part of PowerSploit.
- GPP – Looks for clear text passwords stored in Group Policy Preferences that can be stolen and used to elevate privileges.
By running the module “powerup/allchecks” within Empire, it will scan the compromised systems for any and all vulnerabilities that can be exploited. Running this against my environment found a DLL hijacking scenario, which I can use to go from a regular user to an Administrator. And, if you couldn’t have guessed it, Empire can automate the exploitation of that vulnerability as well using the “powerup/write_dllhijacker” command.
Empire also provides ways to avoid detection while performing these attacks such as process injection. This will be covered in more detail in later posts in this series.
Automating Domain Compromise with DeathStar
Empire takes Mimikatz and packages it with other post-exploitation attacks to make it easier, more powerful, and harder to detect. DeathStar is another tool developed on top of Empire that provides automation of domain compromise. Installing DeathStar gives you a custom “listener” in Empire which is a modified http listener. Once you build and deploy an agent with this listener, it will connect to DeathStar and begin to automatically map out an attack path using the same approaches that BloodHound uses. Then, it will actually perform the credential theft and lateral movement until it compromises a Domain Admin account.
DeathStar will use the modules of Empire to perform recon, lateral movement, and domain compromise without the attacker having to do anything but sit back and wait.
Here is DeathStar in action.
In the next post, we will be looking at CrackMapExec, another tool by the author of DeathStar.
This is the first installment in our blog series, How Attackers Are Stealing Your Credentials with Mimikatz. Sign up to receive notifications when each new blog is posted, or check back every Tuesday for the latest edition.
Post #1 – Empire & DeathStar Read Now
Post #2 – CrackMapExec Read Now
Post #3 – Ways to Detect and Mitigate These Attacks Read Now
Post #4 – How Attackers Are Bypassing These Protections Sign up to be Notified
To register for the webinar on How Attackers Are Stealing Your Credentials with Mimikatz, please click here.