AD Security's Unofficial Guide to Mimikatz & Command Reference
Our own Mark Baggett (@markbaggett) recently reTweeted Sean Metcalf's (@PyroTek3) Tweet about his Active Directory Security post, an Unofficial Guide to Mimikatz & Command Reference.
This is a freaking gold mine, well done Sean!
Using Mimikatz as part of red/blue exercises and scenarios is near and dear to my heart, it's the attacker basis, along with PowerShell and Metasploit, of my May 2015 toolsmith, Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem. Sean describes Mimikatz and its use with such robust detail, even the uninitiated should be able to grasp the raw power of the tool (both dangerous and useful).
First and foremost, I'll quote one of Sean's most important points:
"This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other words, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”."
Further, Sean developed this reference after speaking with both hired defenders and attackers, and learned that outside of a couple of the top three most used Mimikatz commands, not many knew about the full capability of Mimikatz.
"This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required & optional), as well as screenshots and additional context (where possible)." Sean indicates there are several that he hasn't dug into fully yet, but expects to in the near future.
Put Unofficial Guide to Mimikatz & Command Reference on your immediate must read and bookmark list and find safe ways to explore its capabilities.
Again, if your one of those folks who spend time in both red and blue team actvities, it's an imperative that you understand Mimikatz from both perspectives.
Color My Logs: Providing Context for Your Logs Using Our Data
I feel our data is best used to provide context to your own logs. So far, there wasn't an easy way to lookup a good number of IP addresses to annotate your logs. We do have an API, but that requires scripting on your end to use. Our most recent experiment makes annotating your logs as easy as copy / paste. All you need to do it copy and paste a log snippet to our "Color My Logs" page, and the snippet will be marked up with our data.
Any IPs found in your log will be "Colored" based on our risk rating. We are still refining the risk rating, so any feedback is very welcome. Please let us know if you run into a log that isn't parsed correctly or if you experience any other issues.
For a quick run through and some additional details, see this YouTube video .
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago