mimikatz > sekurlsa::tickets

- Table of Contents

Tool Overview
Tool Operation Overview
Information Acquired from Log
Evidence That Can Be Confirmed When Execution is Successful
Main Information Recorded at Execution
Details: Host

Open all sections | Close all sections

- Tool Overview

Category: Password and Hash Dump
Description: Acquires tickets for logged-on sessions.
Example of Presumed Tool Use During an Attack: This tool is used to log in to a remote host using acquired tickets.

- Tool Operation Overview

Item	Description
OS	Windows
Belonging to Domain	Not required
Rights	Administrator

- Information Acquired from Log

Standard Settings

Host
- Execution history (Prefetch)

Additional Settings

Host
- Execution history (audit policy, Sysmon)
- Reading of process memory from lsass.exe (audit policy)
- A record that a file that output the ticket was created (audit policy, Sysmon, USN Journal)

- Evidence That Can Be Confirmed When Execution is Successful

An output ticket file (.kirbi file) is created

- Main Information Recorded at Execution

- Host

Event log

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. CommandLine: Command line of the execution command (path to the tool) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (path to the tool) User: Execute as user
2	Security	4663	File System	An attempt was made to access an object. Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (reading from process memory) Object > Object Type: Target category (Process) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Process Name: Name of the process that closed the handle (\Device\HarddiskVolume2\Windows\System32\lsass.exe)
3	Security	4703	Token Right Adjusted Events	A token right was adjusted. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Enabled Privileges: Enabled privileges (SeDebugPrivilege) Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain Process Information > Process Name: Name of the process executed (path to the tool)
4	Security	4663	File System	An attempt was made to access an object. Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Process Name: Name of the process that closed the handle (path to the tool) Object > Object Name: Target file name ([Current Directory]\[Service Name]-[Domain].kirbi)

USN journal

#	File Name	Process
1	[Service Name]-[Domain Name].kirbi	CLOSE+DATA_EXTEND+FILE_CREATE

Prefetch

C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf

- Details: Host

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process CurrentDirectory: Work directory CommandLine: Command line of the execution command (path to the tool) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user Hashes: Hash value of the executable file Image: Path to the executable file (path to the tool)
1	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (path to the tool) Process Information > Token Escalation Type: Presence of privilege escalation (2) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
2	Security	4673	Sensitive Privilege Use	A privileged service was called. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process > Process ID: ID of the process that used the privilege Subject > Logon ID: Session ID of the user who executed the process Service Request Information > Privilege: Privileges used (SeTcbPrivilege) Process > Process Name: Process that used the privilege (path to the tool)
2	Security	4673	Sensitive Privilege Use	A privileged service was called. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process > Process ID: ID of the process that used the privilege Subject > Logon ID: Session ID of the user who executed the process Service Request Information > Privilege: Privileges used (SeTcbPrivilege) Process > Process Name: Process that used the privilege (path to the tool)
3	Microsoft-Windows-Sysmon/Operational	11	File created (rule: FileCreate)	File created. Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID TargetFilename: Created file (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) CreationUtcTime: File creation date and time (UTC)
	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
4	Security	4703	Token Right Adjusted Events	A token right was adjusted. Disabled Privileges: Disabled privileges (-) Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain Target Account > Logon ID: Session ID of the target user Enabled Privileges: Enabled privileges (SeDebugPrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Process Information > Process ID: ID of the executed process Process Information > Process Name: Name of the process executed (path to the tool)
	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (reading from process memory) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (\Device\HarddiskVolume2\Windows\System32\lsass.exe) Process Information > Process Name: Name of the process that closed the handle (path to the tool) Object > Object Type: File type (Process) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privilege (reading from process memory) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name Access Request Information > Access: Requested privilege Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (\Device\HarddiskVolume2\Windows\System32\lsass.exe) Object > Object Type: Target category (Process) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (path to the tool) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
5	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name ([Current Directory]\[Service Name].kirbi) Process Information > Process Name: Name of the process that closed the handle (path to the tool) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name ([Current Directory]\[Service Name]-[Domain].kirbi) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (path to the tool) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Process Information > Process Name: Name of the process that requested the object (path to the tool) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
6	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (path to the tool) Subject > Logon ID: Session ID of the user who executed the process
6	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (path to the tool)

- USN Journal

#	File Name	Process	Attribute
1	[Executable File Name of Tool]-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	[Executable File Name of Tool]-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	[Executable File Name of Tool]-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed
2	[Service Name]-[Domain Name].kirbi	FILE_CREATE	archive
	[Service Name]-[Domain Name].kirbi	DATA_EXTEND+FILE_CREATE	archive
	[Service Name]-[Domain Name].kirbi	CLOSE+DATA_EXTEND+FILE_CREATE	archive

- MFT

#	Path	Header Flag	Validity
1	[Drive Name]:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf	FILE	ALLOCATED
2	[Current Directory]\[Service Name]-[Domain].kirbi	FILE	ALLOCATED

- Prefetch

#	Prefetch File	Process Name	Process Path	Information That Can Be Confirmed
1	C:\Windows\Prefetch\[Executable File Name of Tool]-[RANDOM].pf	[Executable File Name of Tool]	[Path to Tool]	Last Run Time (last execution date and time)