Closed leegengyu closed 4 years ago
Hello again @leegengyu!
And yeah you're right, we have that as part of our environment configuration (https://attackevals.mitre.org/APT29/environment.html). Added to the Victim Setup
as you suggested, thanks!
In regards to the section of Mimikatz output, it may depend on how you originally logged into the during setup box (which dictates how/where the credentials are cached).
I see. I had totally missed out on the bottom section of that page and focused solely on the instructions in README.md
.
Thank you for addressing this so quickly @jcwilliamsATmitre!
Glad to help, and thank you for pointing this out! As you said, this was something we should have included in the readme as well so great catch.
When I executed
wmidump
(point 6 of Step 14.B), all of the passwords which returned were(null)
:Looking at
stepFourteen_credDump.ps1
, I found$ProcessInfo.Arguments = @("privilege::debug","sekurlsa::logonpasswords","exit");
which were passed into the Mimikatz executable. I decided to runm.exe
on the victim machine with the same 2 commands manually.This is an example of a paragraph from the output after running the above 2 commands:
The white arrow in the screenshot shows that for this particular Authentication Id, that field has a value of
(null)
. Additionally, manual execution of the executable does indeed show that all Password fields had a value of(null)
.I came across this Microsoft link, and attempted a shot:
In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
, there was noUseLogonCredential
originally:After adding in
UseLogonCredential
and setting it to1
:I manually executed the Mimikatz executable first, and found that for the same Authentication Id, I was able to see the password (under Kerberos) now.
I executed
wmidump
this time, and found that the password was showing up (as expected based on the second time the manual execution was carried out):I am not sure if ...:
Victim Setup
), or if there is something that I missed in the setup that caused me to see only(null)
values as passwords.