Mimikatz (Silver Ticket)

- Table of Contents

Tool Overview
Tool Operation Overview
Information Acquired from Log
Evidence That Can Be Confirmed When Execution is Successful
Main Information Recorded at Execution
Details: Source Host
Details: Destination Host
Remarks

Open all sections | Close all sections

- Tool Overview

Category: Capturing Administrator Rights/Account
Description: Forges Kerberos authentication tickets and connects to a remote host.
Example of Presumed Tool Use During an Attack: This tool is used to connect to a remote host by using the forged authentication ticket.

- Tool Operation Overview

Item	Source Host	Destination Host
OS	Windows	Windows Server
Belonging to Domain	Required
Rights	Administrator	Standard user
Service	Workstation	Active Directory Domain Service

- Information Acquired from Log

Standard Settings

Source host
- Execution history (Prefetch)

Additional Settings

Source host
- Execution history (audit policy, Sysmon)
Destination Host
- Logon by an account with a malicious domain (audit policy) *It is recorded when there is an error in the specification at tool execution.

- Evidence That Can Be Confirmed When Execution is Successful

In the Event ID: 4624 of the event log "Security", logon by an account with a malicious domain is recorded. *It may not be recorded depending on the tool version or setting.

- Main Information Recorded at Execution

- Source Host

Event log

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. CommandLine: Command line of the execution command (path to the tool) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (path to the tool) User: Execute as user
2	Security	4689	Process Termination	A process has exited. Log Date and Time: Process terminated date and time (local time) Process Information > Exit Status: Process return value (0x0) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Process Name: Path to the executable file (path to the tool)
3	Security	4673	Sensitive Privilege Use	A privileged service was called. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Service Request Information > Privilege: Privileges used (SeTcbPrivilege) Process > Process Name: Process that used the privilege (path to the tool)
4	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (System) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source port: 445)

Prefetch

C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf

- Destination Host

Event log

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (System) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source port: 445) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
2	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon (source host name) Process Information > Process Name: Path to the executable file Network Information > Source Network Address: IP address that requested the logon (source host IP address) Subject > Logon ID: Session ID of the user who executed the authentication
3	Security	4672	Special Logon	Special privileges assigned to new logon. Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeEnableDelegationPrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
4	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool

- Details: Source Host

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process CurrentDirectory: Work directory CommandLine: Command line of the execution command (path to the tool) IntegrityLevel: Privilege level (Medium) ParentCommandLine: Command line of the parent process UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (path to the tool)
1	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (path to the tool) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
2	Security	4673	Sensitive Privilege Use	A privileged service was called. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process > Process ID: ID of the process that used the privilege Subject > Logon ID: Session ID of the user who executed the process Service Request Information > Privilege: Privileges used (SeTcbPrivilege) Process > Process Name: Process that used the privilege (path to the tool)
2	Security	4673	Sensitive Privilege Use	A privileged service was called. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process > Process ID: ID of the process that used the privilege Subject > Logon ID: Session ID of the user who executed the process Service Request Information > Privilege: Privileges used (SeTcbPrivilege) Process > Process Name: Process that used the privilege (path to the tool)
3	Microsoft-Windows-Sysmon/Operational	11	File created (rule: FileCreate)	File created. Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) CreationUtcTime: File creation date and time (UTC)
	Security	4656	File System/Other Object Access Events	A handle to an object was requested. (A handle to an object was requested.) Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) (4) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
4	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (path to the tool)
4	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (path to the tool) Subject > Logon ID: Session ID of the user who executed the process
5	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (445) SourcePort: Source port number (high port) SourceHostname: Source host name (source host) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID (4) Application Information > Application Name: Execution process (System)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (445) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host IP address) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host IP address) Application Information > Process ID: Process ID

- USN Journal

#	File Name	Process	Attribute
1	[Executable File Name of Tool]-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	[Executable File Name of Tool]-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	[Executable File Name of Tool]-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed

- MFT

#	Path	Header Flag	Validity
1	[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf	FILE	ALLOCATED

- Prefetch

#	Prefetch File	Process Name	Process Path	Information That Can Be Confirmed
1	C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf	[Executable File Name of Tool]	[Path to Tool]	Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (System) DestinationHostname: Destination host name (source host) ProcessGuid/ProcessId: Process ID (4) User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (445) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
1	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (445) Network Information > Destination Address: Destination IP address (source host IP address) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (System) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (destination host IP address) Application Information > Process ID: Process ID (4)
2	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number (high port) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon (source host name) Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon (source host IP address) Subject > Logon ID: Session ID of the user who executed the authentication
3	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeEnableDelegationPrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process
3	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number (high port) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon (source host name) Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon (source host IP address) Subject > Logon ID: Session ID of the user who executed the authentication
4	Security	5140	File Sharing	A network share object was accessed. Network Information > Source Port: Source port number (high port) Shared Information > Share Path: Shared path Access Request Information > Access: Requested privileges (ReadData or ListDirectory) Shared Information > Share Name: Share name used (\\*\IPC$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
	Security	5140	File Sharing	A network share object was accessed. Network Information > Source Port: Source port number (high port) Shared Information > Share Path: Shared path Access Request Information > Access: Requested privileges (ReadData or ListDirectory) Shared Information > Share Name: Share name used (\\*\IPC$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
	Security	5140	File Sharing	A network share object was accessed. Network Information > Source Port: Source port number (high port) Shared Information > Share Path: Share path (\??\C:\) Access Request Information > Access: Requested privileges (ReadData or ListDirectory) Shared Information > Share Name: Share name used (\\*\C$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
	Security	5145	Detailed File Share	A network share object was checked to see whether the client can be granted the desired access. Network Information > Source Port: Source port number (high port) Network Information > Object Type: Type of the created object (File) Shared Information > Share Path: Path to the share (\??\C:\) Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadAttributes) Shared Information > Share Name: Share name (\\*\C$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (\) Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
	Security	5145	Detailed File Share	A network share object was checked to see whether the client can be granted the desired access. Network Information > Source Port: Source port number (high port) Network Information > Object Type: Type of the created object (File) Shared Information > Share Path: Path to the share (\??\C:\) Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadData or ListDirectory, ReadAttributes) Shared Information > Share Name: Share name (\\*\C$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (\) Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
	Security	5145	Detailed File Share	A network share object was checked to see whether the client can be granted the desired access. Network Information > Source Port: Source port number (high port) Network Information > Object Type: Type of the created object (File) Shared Information > Share Path: Path to the share (\??\C:\) Access Request Information > Access: Requested privileges (SYNCHRONIZE, ReadAttributes) Shared Information > Share Name: Share name (\\*\C$) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Shared Information > Relative Target Name: Relative target name from the share path (\) Network Information > Source Address: Source IP address (source host) Subject > Logon ID: Session ID of the user who executed the process
5	Security	4634	Logoff	An account was logged off. Logon Type: Logon path, method, etc. (3=Network) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the authentication

- Remarks

Whether a Silver Ticket was used or not cannot be determined from a packet message. However, since frequency of communication differs from normal Kerberos authentication (the frequency of communication with 88/tcp), there is a possibility that unauthorized logon can be determined based on communication trends.