umu.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Improving Credential Theft Detection Capabilities: A case study on Mimikatz: Improving Detection Capabilities by Examining Temporal Relations of Dynamic-Link Libraries and Correlating Memory Access of Targeted Processes
Umeå University, Faculty of Science and Technology, Department of Computing Science.
2018 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

Cyber intrusions typically includes stealing credentials, in one way or another, belonging to high-privilege accounts. Stealing high privilege credentials is critical as it enables an attacker to escalate further into the compromised environment.

A popular tool for stealing these credentials is called Mimikatz. The tool extracts cached credentials from live memory of the Windows authentication process. The tool is known so a sophisticated attacker usually modies this software in order to bypass detection.

This thesis will focus on a detection method where examining the loading order and temporal relations of Dynamic-Link Libraries (DLLs) can help reveal activity by obfuscated versions of Mimikatz.

This thesis concludes that Mimikatz detection is not improved by examining the loading order of DLLs, but can be sharpened by monitoring the process whoms memory contains the credentials. Monitoring this process can reveal whether credentials were exposed to an unknown processor in an anomalous context.

Place, publisher, year, edition, pages
2018. , p. 32
Series
UMNAD ; 1140
National Category
Engineering and Technology
Identifiers
URN: urn:nbn:se:umu:diva-149683OAI: oai:DiVA.org:umu-149683DiVA, id: diva2:1223817
External cooperation
TrueSec AB
Educational program
Master of Science Programme in Computing Science and Engineering
Supervisors
Examiners
Available from: 2018-06-26 Created: 2018-06-26 Last updated: 2018-06-26Bibliographically approved

Open Access in DiVA

No full text in DiVA

By organisation
Department of Computing Science
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 750 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf