Free PeStudio 9.55

broken image
broken image

Or hunt for all reg add commands involving 'Security Packages' (again, check for details).

broken image

I checked our case database and found the screenshots from 2 years ago, where the attackers used the same technique to capture cleartext passwords.įrom a hunting perspective, reading out the relevant registry key (see for the exact reg query command) on all endpoints should be easy enough with an EDR or Velociraptor, for example.

broken image

Once the Security Package is registered and the system is rebooted, the mimilib.dll will be loaded into lsass.exe process memory and intercept all logon passwords next time someone logs onto the system or otherwise authenticates, say, via runas.exe.' Ī Threat Actor used exactly this technique outlined above in one of our latest Incident Response cases, to register a malicious DLL as a Security Package (see the screenshot below). 'Mimikatz Security Support Provider mimilib.dll will be registered as a Windows Security Package.

broken image

 

PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save