0

I am completing some online labs for a cyber security course. We are meant to do specific tasks.

For this task we have a compromised virtual machine in an activity titled "compromised host" .

"The attacker has deployed the ‘mimikatz’ tool to attempt to capture plaintext passwords." I am not sure what a mimikatz tool is, but upon research online it is used in malicious attacks. We are meant to find the filename of the executable for this mimikatz tool on the disk. I am not sure how we are meant to identify it, especially when it is probably not called mimikatz (I have already tried). We are also meant to find a path to a log file, which contains the details to someone called Alan Jones (I am assuming this could be used as a keyword in a search of files).

The questions we have been asked are: 1) What is the filename of the mimikatz executable on disk? 2) What is the full path of the log file on disk?

How do we find the mimikatz file(commands in powershell?) and how do we find the password log?

Ismaeel Ali
  • 21
  • 5
  • If it was renamed, then your best bet is to download all of the available Mimikatz executables, get the hashes from them, and hash all the files on your disk until you find one that matches one of the hashes of the known Mimikatz executables. You may need to download the source files and compile various versions with different compilation options and add them to your hash search list as well. – user Nov 14 '19 at 21:33
  • is there an easier way to automate it? or to notice resources going mad? – Ismaeel Ali Nov 14 '19 at 21:36
  • this is a copy of: https://security.stackexchange.com/questions/221217/finding-a-mimikatz-file-on-a-compromised-host – schroeder Nov 14 '19 at 21:38
  • As I said in your other question, we can't help you with just this information. And as you are not sure what info to provide, we would need access to the machine. You need to work with your instructor on these exercises. – schroeder Nov 14 '19 at 21:41
  • @schroeder♦ i just added more information.... so how is it a duplicate? – Ismaeel Ali Nov 14 '19 at 21:51
  • it's literally the same question – schroeder Nov 14 '19 at 21:52
  • same question, but i added more information to make it less "broad" @schroeder♦ – Ismaeel Ali Nov 14 '19 at 21:54
  • The info you added would not help in answering your question. You just added more details about the exercise context. – schroeder Nov 14 '19 at 21:56
  • what sort of information would you need then? so i know how to structure my stuff. this is due on saturday im starting to panic that i cant find anything that can help. @schroeder♦ – Ismaeel Ali Nov 14 '19 at 22:06
  • As I said, we'd need to see the machine. We are as in the dark as you are. – schroeder Nov 14 '19 at 22:41

0 Answers0