Attackers and their malware are increasingly relying on a handful of common tools such as Mimikatz, PsExec, and WMI to spread through a network and do damage. Some of these tools are very common and hard to blacklist in a network, and likewise make use of protocols such as NTLM and RPC, which are also historically difficult to control inside of most enterprises. Preempt has delivered industry-first functionality that allows organizations to directly analyze these protocols, detect and challenge abnormal behavior. This allows organizations to control some of the most persistent areas of risk in the network while simultaneously robbing attackers of their favorite tools. You can see it in action in the following video.
Analyzing Attack Trends
Last year’s Petya/NotPetya outbreak put the world of IT security on edge, as the malware was able to spread from machine to machine and either hold a victim’s data for ransom or simply destroy it. Upon analysis, researchers found that Petya exhibited an increasingly common trait for malware - after the initial infection it would use a combination of Mimikatz, PsExec, and WMI to steal credentials and spread through the network.
While Petya was the most high-profile example, it was hardly unique. Mimikatz and PsExec have been associated with everything from PoS malware to webshells. Analysts from TrendMicro deemed this trend of malware using system tools as malware “living off the land” and found that 10 out of 10 targeted attack groups used a similar combination of tools to steal credentials and spread.
From the attacker’s perspective these tools have a lot of advantages. First, they are are common tools that use common protocols, making them hard to blacklist or deny. For example, PsExec, WMI, and Powershell are commonly used by administrators to support devices over the network using RPC. Attackers use these same tools to take control of devices, but they can do so without worrying about AV flagging their code as malware. Mimikatz, on the other hand, takes advantage of the long-standing support and backward compatibility for NTLM to perform Pass-the-Hash and GoldenTicket attacks to spread through the network.
Control for Underbelly of the Network
Neither NTLM or RPC are particularly well-controlled inside of most enterprises today. Managing NTLM is tricky for several reasons. First, it can be difficult for an organization to even know for sure where NTLM is being used. As mentioned above, NTLM is often supported for backward-compatibility reasons, and often organizations will continue to allow NTLM for fear of breaking older infrastructure such as a fileshare or printer.
However, the problem really isn’t with the devices. Many protocols can be downgraded to support NTLM. In fact, the Windows Authentication API (SSPI) allows any Windows authentication session to be downgraded to NTLM. Worse still, NTLM is hard to manage directly as the session traffic is encrypted. This means most organizations have been limited to monitor NTLM via log files, which typically lack important information such as the host IP address.
Stop Mimikatz and Control NTLM
With the latest release from Preempt, organizations can for the first time take a proactive role in dealing with these tools and their protocols. Previously NTLM traffic was encrypted, making it impossible to directly analyze on the wire. Preempt is the first behavioral analysis platform to decrypt and decode NTLM traffic for analysis. This allows Preempt to both detect and block the use of Mimikatz on the network.
This additionally gives IT teams visibility into the who, where, and why of NTLM use in the network. This can allow teams to remove any unnecessary use of NTLM and create additional controls where necessary. Instead of allowing NTLM universally, it can be allowed only in the few instances where it is required, and denied otherwise.
Getting Smart About PsExec and RPC
The latest Preempt release also adds support for the analysis of RPC traffic. Given that tools like Powershell, WMI, and PsExec are commonly needed by administrators, they can’t reasonably be blacklisted. Instead, Preempt can use identity, behavior, and risk analysis to identify and challenge any abnormal RPC behavior. For example, RPC can be allowed but only by any administrator, and only after passing an MFA challenge. Instead of giving attackers free reign inside the network to use RPC, administrators can limit it to instances of verified need.
Attackers have turned to a remarkably simple and effective recipe for spreading through enterprise networks. Tools such as Mimikatz and PsExec have become standard for attackers and malware intent on stealing or destroying data within a network. While eradicating such tools is virtually impossible, Preempt is enabling organizations to get visibility and control over the protocols and techniques that they depend on. This allows teams to not only stop active attacks, but also take active control over troublesome protocols such as NTLM, which have plagued networks for decades. Instead of chasing each new malware variant or attack tool, Preempt lets organization secure their networks from the fundamental protocols up to simultaneously stop threats and reduce risk.
“However, much of the propagation is believed to have occurred by the malware’s use of WMI commands, MimiKatz, and PSExec.”
Living off the Land
Windows Credentials Editor
Adversary Infrastructure (Running Bee webshell)
Mimikatz and PsExec