Quick Links

Investigating “Mimikatz Pass the Hash” findings

Overview

This guide provides steps for investigating “Mimikatz Pass the Hash” findings using Report Builder to identify each time a user’s account is called and the process responsible for the events.

Mimikatz is a hacking tool used to extract passwords and other sensitive information from a computer's memory. "Pass the hash" is a technique that Mimikatz can perform, which allows an attacker to use a stolen password hash, or encrypted version of a password, to authenticate on a system. This method bypasses the need to decrypt the password and can be used to move laterally within a network, potentially gaining access to multiple systems using the same stolen hash. The "Mimikatz Pass the Hash" detection rule looks for a specific host attempting to access another user's credentials.

Scenarios that might trigger a "Mimikatz Pass the Hash" finding

There are some managed processes that regularly perform actions matching the activity of the "pass the hash" technique. Examples of management applications or services that can trigger this finding including the following:

  • Network Glue
  • ManageEngine's ADManager Plus
  • Rapid7 Insight Agent
  • Veeam SureBackup
  • Netwrix services

Some businesses use these types of management tools in their environment for legitimate business purposes, and when their services query different endpoints, those queries can trigger false-positive "Mimikatz Pass the Hash” findings.

Using Report Builder to investigate Mimikatz events

Reference: See Using the Report Builder for more information about building reports.

To build a report and review the events related to this finding, do the following:

  1. Navigate to Reporting > Report Builder.
  2. Edit the Time Range to include the time of the activity you need to investigate.
  3. Click Data Sources, and then select the relevant endpoint log types, such as Microsoft Windows and Blumira Agent Endpoint Logs, according to your integrations.
  4. Click Edit Report.
  5. Under Selected Columns, find and select dst_user.
  6. Click Add Filter.
  7. Add the following report filters to narrow your logs to those containing the username and device name from the finding:
    • Add a filter for the username in question.
      Exampledst_user - Equal - username
    • Add a filter for the device in question.
      Exampledevname - Equal - devname
  8. Click Submit.

Responding to the finding

Malicious actions

If the process or user you investigated is unexpected in your environment, complete the following immediately:

  1. Locate the user account in your Active Directory system, disable it, and expire the password. 
  2. Isolate the host that is listed in the finding from the rest of your network until further scope investigation can be completed.

Expected users and processes

If the process or user you investigated is expected, add new detection filters to the detection rule and set the dst_user , devname, and process_name fields equal to the allowed values from the finding. 

Note: The process_name seen in the finding will not match what you found in the Report Builder.
Important: While filtering on the user account, ensure that this administrator or service account is properly protected with strong authentication controls and a limited permission set.

Additional detection rules for related behavior

Blumira has additional detection rules that find events related to Mimikatz behavior. If any of the following findings appear in conjunction with other Mimikatz findings, all related events should be investigated immediately:

  • Mimikatz File Creation Artifacts
  • Mimikatz Process Creation or Command Run
  • WMI Remote Code Execution
  • Registry Value Tampering: Restricted Admin Mode Enabled
  • New Remote Scheduled Task
  • Dump LSASS.exe Memory using Windows Error Reporting
  • Indicator: Password Dumper Remote Thread in LSASS
  • Registry Dump of SAM