On Macs, login passwords are often stolen from the files located inside of the /var/db/dslocal/nodes/Default/users/ directory, where each user on the system has his own plist file. Macs, however, present more of a challenge to attackers. This is because Mimikatz is often able to hand the attacker plain-text passwords by pulling them from memory. In fact, CrowdStrike has observed it in almost every Windows-based attack we’ve seen, regardless of the adversary. Mimikatz - which Dmitri calls the “AK47 of cyber” - has become a popular tool for achieving credential theft in Windows environments. We saw in the Privilege Escalation demo how attackers can gain root privileges to perform a number of different tasks - including “Credential Theft,” the subject of this blog. In the first demo in this series, I showed how the Delivery stage of an attack is accomplished via a CustomURLScheme. In this video, I demonstrate the third stage of an attack, “Credential Theft.” In my previous blogs, I focused on the first attack stage, “Delivery,” and the second stage, “Privilege Escalation.” Hash Collection This blog is the third in a series from CrowdStrike’s RSA 2019 keynote, “Hacking Exposed: Hacking Macs,” where I joined CrowdStrike’s co-founders, CEO George Kurtz and CTO Dmitri Alperovitch, as we demonstrated real-world attacks against MacOS machines and networks.
0 Comments
Leave a Reply. |