What is Mimikatz?

Mimikatz is a program that was created by Benjamin Delpy in May 2011 as a closed source application to test Microsoft’s authentication methods and protocols. Microsoft being contacted by Deply prior, disregarded his claim of an existence of a critical vulnerability in the Windows operating system which contained both an encrypted copy of credentials as well as a “key” to decipher the encryption.

The Mimikatz program was built to exploit this vulnerability and has since its fruition, became one of the most widely used programs by threat actors across the globe. I have included a list of known threat actors known to have exploited Mimikatz in their campaigns at the bottom of this article.

Getting Started

Wanting to dive into the Mimikatz infrastructure I took a sample IP address submitted to the Abuse.ch (ThreatFox) platform.

Scoping on the IP address in Censys

124.71.207[.]28

Breaking Down Response Body

Looking at the response.body field in the Censys scan result shows the raw content returned by the web server in response to a request. It provides a snapshot of the actual data served by the web server.

In our case here we see this is being served on SimpleHTTP/0.6 Python/3.10.6 web server, which is a lightweight Python web server. On this web server there are 3 files listed in the response:

• Invoke-Mimikatz.ps1

• .Invoke-Mimikatz.ps1.swo

• .Invoke-Mimikatz.ps1.swp

The bottom (.swo / .swp) scripts are likely temporary or swap files related to editing the Invoke-Mimikatz.ps1 script.

The presence of the other files:

• Get-PassHashes.ps1

• shell.sh

and directories…

• JavaDeserH2HC/

• JbossVulExploit/

…are further indications that this is likely to be used by a bad actor for exploitation.

So now we have been able to establish a bit more about the infrastructure and how it is likely managed and delivered. Now we can pivot using the responsebody and identify other similarly hosted infrastructure.

Pivoting to Further Discovery

Performing another Censys query

services.http.response.body="*Invoke-Mimikatz.ps1*"

We are prompted with 2 additional HTTP response bodies containing indications of Mimikatz infrastructure.

Yet Again - Breaking Down the Response Body

When looking at the new response body I was able to identify several items of interest here. One being the pivot point, our malicious “Invoke-Mimikatz.ps1” file and the other 2 being:

• beacon_x64.exe

• gohttpserver.exe

Doing a bit of automated analysis here…

https://app.any.run/tasks/e948ef5d-d74c-4428-933e-c94527edeb95

https://app.any.run/tasks/5b39772d-b19f-41a2-892e-0f9d4ee51e92

The “beaconx64.exe” binary matched positive against a YARA rule searching for Cobalt Strike and the “gohttpserver.exe” spun up a local Go HTTP File Server likely to pull the data back to without spinning up external infra to be flagged.

Taking a look at our last IP address here:

• 52.151.88[.]215

We once again see “Invoke-Mimikatz.ps1” is being hosted off of port 8000 off of a SimpleHTTP Python web server. This is a very lightweight and quick spinup infrastructure for the threat actors.

Using this information I was able to begin pivoting deeper into other publicly facing web servers following the same pattern.

Leveraging the Censys Intelligence platform

Query:

https://platform.censys.io/search?q=host.services.endpoints.http.body%3A+%22Invoke-Mimikatz%22

host.services.endpoints.http.body: "Invoke-Mimikatz"

Sure we could have just scoped on matches containing any signs of “Mimikatz”, but for the sake of this digging I wanted to keep the scope to other copy cats of using this .ps1 technique.

Pulling back a bit and reviewing what we have found. The presence of Mimikatz in the form of the “Invoke-Mimikatz.ps1” seems to often be hosted from the SimpleHTTP file server and is paired with several other malicious binaries.

Pivoting off of findings using the response.body fields in this case is great for discovering active or recently active infrastructure. I am absolutely certain I missed key pivoting points and IOCs to include but this is a rabbit hole that could be explored indefinitely.

Rolling OTX Pulse

https://otx.alienvault.com/pulse/676ad52e02e6a72a66d2f0de

I intend on updating this list with further findings and referencing sources.