One of the most powerful weapons at an attacker’s disposal is the use of specialized tools designed to compromise network security. Mimikatz, BloodHound, and winPEAS are just a few examples of tools that can wreak havoc in your environment if left undetected.
In this article, we’ll explore how malicious actors can exploit specialized tools to launch sophisticated attacks. We’ll also demonstrate how a SIEM solution like ManageEngine Log360 can effectively detect the presence of these tools within your network using simple, predefined correlation rules.
1. Mimikatz
Mimikatz is a powerful post-exploitation tool capable of stealing credentials from compromised systems, enabling attackers to move laterally within a network and escalate their privileges. This technique can lead to significant data breaches, unauthorized access to sensitive systems, and disruption of operations. By extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory or SAM/LSAD files, Mimikatz provides attackers with a wealth of information to exploit.
Attackers can also use Mimikatz to perform pass-the-hash attacks by using stolen hashes to authenticate to other systems without requiring the actual passwords. Then, threat actors can build golden tickets by creating persistent Kerberos tickets that grant them long-term access to systems and resources.
Log360 can detect Mimikatz by correlating disparate events with the following rule criteria:
-
Processes with names containing mimikatz or related terms.
-
Command lines containing mimikatz or its associated arguments.
-
Processes with names containing delpy.
-
Processes with names containing gentilkiwi.
2. BloodHound
BloodHound is a powerful Active Directory (AD) visualization tool that can reveal relationships between users, groups, computers, and services. Attackers can use this information to identify potential attack paths, discover privileged accounts, and plan targeted attacks. BloodHound can also be used to move laterally within the network and gain access to sensitive systems.
Log360 can detect BloodHound by correlating disparate events with the following rule criteria:
-
Processes with names containing bloodhound or related terms.
-
A condition looks for the presence of the specific argument –CollectionMethod within the command line. This argument is frequently used with BloodHound to specify the collection method for gathering information from AD.
-
Command lines containing azurehound, which suggests an attempt to gather information from Azure AD.
3. PetitPotam
PetitPotam is a tool designed for NTLM relay attacks, which exploit vulnerabilities in the NTLM authentication protocol.
Attackers use PetitPotam to attack web applications by redirecting NTLM authentication traffic to a compromised domain controller, capturing credentials and gaining unauthorized access. They can also attack network services by relaying NTLM authentication traffic to vulnerable network services, such as SMB or RDP, to gain access. They are also able to perform pass-the-hash attacks by using stolen NTLM hashes to authenticate to other systems without requiring the actual passwords.
Log360 can detect PetitPotam by correlating disparate events with the following rule criteria:
-
Use of pepitpotam in the command line may indicate a strong possibility of a malicious activity executed by attackers such as forced SMB authentication or NTLM relay attacks.
4. winPEAS
winPEAS is a post-exploitation tool that provides comprehensive system information, enabling attackers to gather intelligence, identify vulnerabilities, and gain further access.
Attackers often use winPEAS to gather system information by collecting details about running processes, services, users, groups, and network connections. They can identify vulnerabilities by discovering outdated software, weak configurations, and exploitable services. With winPEAS, its easier to locate privileged accounts and identify vulnerabilities that can be exploited to gain higher-level access. Threat actors also create mechanisms to maintain access to a compromised system, even after a reboot.
Log360 can detect winPEAS by correlating disparate events with the following rule criteria:
-
Processes with names containing winpeas or related terms.
-
Command line containing winpeas.bat. This part of the rule catches attempts to execute winPEAS via a batch file.
-
Command line containing winpeas.ps1. This part of the rule catches PowerShell-based attempts to execute winPEAS.
5. Kerbrute
Kerbrute is a tool designed to brute-force Kerberos tickets, a network authentication protocol widely used in Windows environments. By guessing passwords, attackers can obtain valid tickets and gain unauthorized access to resources. They can perform pass-the-hash attacks by extracting NTLM hashes from stolen Kerberos tickets and use them for lateral movement and privilege escalation.
Log360 can detect Kerbrute by correlating disparate events with the following rule criteria:
-
Command lines containing kerbrute or its associated arguments.
By utilizing Log360’s preconfigured correlation rules, you can effectively identify security threats like these in real time. Explore our comprehensive correlation rule library to discover additional attacker tools and other security threat categories that you can detect with Log360.