From 9a293b974e6f6a8303c68558c69c70592685783b Mon Sep 17 00:00:00 2001
From: Joshua Wright <jwright@hasborg.com>
Date: Fri, 3 May 2019 06:33:20 -0400
Subject: [PATCH] Add more Mimikatz detection, focusing on token::elevate as a
 non-admin user

---
 DeepBlue.ps1                                  |  21 ++++++++++++++++++
 ...-privilegedebug-tokenelevate-hashdump.evtx | Bin 0 -> 69632 bytes
 2 files changed, 21 insertions(+)
 create mode 100755 evtx/mimikatz-privilegedebug-tokenelevate-hashdump.evtx

diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
index 656cb26..11c4884 100644
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@@ -136,6 +136,27 @@ function Main {
                     #$adminlogons.Set_Item($username,$securitysid)
                     #$adminlogons($username)+=($securitysid)
                 }
+                # This unique privilege list is used by Mimikatz 2.2.0
+                If ($privileges -Match "SeAssignPrimaryTokenPrivilege" `
+                        -And $privileges -Match "SeTcbPrivilege" `
+                        -And $privileges -Match "SeSecurityPrivilege" `
+                        -And $privileges -Match "SeTakeOwnershipPrivilege" `
+                        -And $privileges -Match "SeLoadDriverPrivilege" `
+                        -And $privileges -Match "SeBackupPrivilege" `
+                        -And $privileges -Match "SeRestorePrivilege" `
+                        -And $privileges -Match "SeDebugPrivilege" `
+                        -And $privileges -Match "SeAuditPrivilege" `
+                        -And $privileges -Match "SeSystemEnvironmentPrivilege" `
+                        -And $privileges -Match "SeImpersonatePrivilege" `
+                        -And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") {
+                    $obj.Message = "Mimikatz token::elevate Privilege Escalation" 
+                    $obj.Results = "Username: $username`n"
+                    $obj.Results += "Domain: $domain`n"
+                    $obj.Results += "User SID: $securityid`n"
+                    $pprivileges = $privileges -replace "`n",", " -replace "\s+"," "
+                    $obj.Results += "Privileges: $pprivileges"
+                    Write-Output($obj)
+                }
             }
             ElseIf ($event.id -eq 4720){ 
                 # A user account was created.
diff --git a/evtx/mimikatz-privilegedebug-tokenelevate-hashdump.evtx b/evtx/mimikatz-privilegedebug-tokenelevate-hashdump.evtx
new file mode 100755
index 0000000000000000000000000000000000000000..7f6132c31c185778b8b35d5e8067f9fe10893579
GIT binary patch
literal 69632
zcmeI2dyHIF9mjuj=h4~6%<gvCzR*690)=#;k1c%&>2`NZH+>3IXiY=hcDLQO+ugd|
zZA&V#LFy|)nrICXkVkwZ21zif3K)$bh8P87!b?ds1`uN~Vl)!`WBq>5xp(f&boL=s
zFywnSGxywk&*OJK=XZX;-#N2g1AEu+ALz5nG%b8^64!(!%^DMxMc(!Oj)xOZz3WEQ
zfCz|y2#A0Ph=2%)fCz|y2#A0Ph`^)-x(4=k^ba1y9^a=-c&)rYiRX7MFnfKW*^Y<)
z_S3M~JHD{}1NVIU-l&0jHD>ps^WmJ?5nTJz(HnpL8lGQ+V~Fw68Pu;#uV>A+q$;15
z-_HyWI_?eoI~JB-9UXw6_=R}(TKIe!+GP3(?%xW0eolp4JtcJ)g+Mo>><-Adx?)^g
zYJD5uo#C&OeQyK@rc1)U{ay9%`cT%=w`VUZy)(P~a<j`&E}HMTJ&%93F7aHVA(629
z#MxIr`Io3C=3hPi?`=Q(&VBccojLi9E{uew+Q-ILA<F?WJyxH#E<0*{HfSTb{~SJ<
z1L4abHKgsh9kKzuJc1YLM4R=a*oYmr)pjNRj@TYN=|h<w<Xdswk0--6gu5Zzi;}Il
zAHwr1?HJw-;=0tX!ryY_uCkT*?kjeGr0gz8jE(IsnYW=r#%{1%(DI1u(Ja7VUV>cF
zjJ|myYujA!N6}X=N)6-f_wiXDDdWa7Dcb^J58)*TG{-idBl2Rq$%)zv!H=Q4#U+FW
z@NA!Dz7*=vqL!3hXQQq+Hg}1gz^M1w3Ts3E{9B3Yy}0kg^TinTD&&_Ux6+p3c^h(k
z*M>TKab1OLpDjVTm3FHo+mjH_?Cr3(e?nE`$?CRFyt@>i3{{>YE&6S(eGKCCV9NHR
z!To4#7$Y#trz{iXla@&(>WoSit+ZJ+)9l8u*nSLd5buI~ouyLHvAMX3mRRpIY1@Q?
z)Rh5O$XF<_58>t>2*A{JB4q`q3kPu*<O6n?u=%**5@dRKZpOAkfv6UoA{I-qrL<j)
zn`q@8cs6Sr@%k1_!4L+~>xL2J)7Fy0v~NSvCg?HKnmg;z>3%n-9Vprd0jMIqc<1nN
z6;r1_dZM;WgQ7~nld+~`q88d3+p_h^TnX*#(I7>pB%XYbueDmratf6qgY@9v>#V~S
zqZ|WHk_hWAlw1GvQ0Uq>YpoqEjzDl~>j*~b+s#k2hRho%#%XVRs>#^3Z;4|Xr_yw5
zNJ5rF=p!;>KRjE50UURNkGhWh^lqRWTVUxZOYI9a;hLf59l>8HMb@$zns!d@sa07J
z?hn~U0P;1KO(w?1mU8@|;rt9#v;!r3ph$yGZp?2wkp*}18$}a-tSMAnjf&5sA}4aq
zVAg><1l6Fhe(j=a9jdlt&E9~eQm}RSwAs}#9VEXF4MZ;C{?>ClF`I`HnaDfr-ITHI
z7$MsZM_F&p$yB1*sUAc(a&PO*7K?Sd8SFtTLB81*q*8VP^3YfJfqEN1Oj&Eer^)40
z$nlf4T360J9OvtzU;)bZ7Z>FGwKdN?dK-=U)0qE%pjPwFu&TH6yY9dFY~(ALUpxEx
zLiUM+4{SK~%8U15(S}z3%g9FV@1gcQ)-EmAdf*=bfDZTF<7SlW<kR>#yPr<1fiR^u
zp0<4u)o7n+d*7*@_x3+Bs-<?{8&%r-s~`sB0Hzn}^O*Ee+ieHXGgnG9cQ-&93LU_^
zHdB$PfecBQp18YVoNBS%4{`}hu;L0-pr5A}K7MmkMa51a<LK$PN-GDxGKGx-ncvh^
z3hQ}u#dU|mCSkf#m}`T{Y_>c!V+KCd8`wUkbPK+gp15<@qxE;cvi+{sxBm<cAo5YP
z;5~HpweW=;3c3UxW_-Xnp}!7<!pED-;)LaQq#B|~hWVx|UfZ$a@JqK1T+uoB*GPk!
z?2pJYPN4q?b>qGE{~w14jN9nxFN7HM^wV*5{yYza&J*VwX#A2k6K`lVsR_;}mU%sf
zZuELZ@5Tr8Zb3fuWPCt#SM*zaK)+S=P<%iSRrEs?hUUw4Nk0>L5|(6CT=WtYpI*X=
zPs>}h^ZA^&-7G=d?Ml!-=OY{JEo~#LiMO;tzR|1Td_17;PGTq7BJHG?5}CZSd-*0<
zG}qlk2CdN=oH46r(AGnN`5xj}cXk1~u_cY{4Qc+#C_1%QJ1(iiOt!h}bBO|G^hL;W
zL1@^5sl;HF4rDRB0@nrI2^Z)-Tlm%63&#sz>Hg+p*RDxk_GGTIhBu$je(%^PqOhF#
zPo4hyjvsuh^NuGky=&)5pkygnh7n}ByJ70QjgFLo4};_qmjJEo!h7y^IA32JN|n4_
zh&LI=o#{lSZ74Tn-i)EGwy-T1wD_8n*)ng*P<K^W_lmgJshG1MM`MQi%fk8-NL_Bx
z0@xfEiY*CiekATW2QN+EvJc2A&32GW!Dx@yW3_sb=?!veFYDD|kBj0S8_RmEX1Ie~
z#@C)y-pX-K^W$W1oM|r8a9(RduSzRlKmd0b;|+3HwH#knDdV>NMkNZm;xX2EDZ9ho
z*2KNdb{and_v{ssTP;SqKEB+B{2n`qZ&HujLj*!;s_NEFE>b<{d`#R@T({2Gon++E
z1}MnYTLb&LCY1fkSoUV{8HQ}!NOF_N0E5vi*XXbdfIW#Imz!XgHlgl#<AgI{-&JMx
z8wu`SXeUT8$Tj#`s#?B$Zs@;*T%$Fz{l($fTwv+fXkA4B9rJ6NK&EbJOFLTbbukzN
z?;tnbm*+~NrZF4{H7$cE;xPK*24n;!n|(=Y2TM|_u;g@<WDxCle$>o(X5;-^kh{RQ
zP<5`j<6zvuV4Z=N-*@!7nH$8G)bHGa93mGo=?JBuj)hXpC|i$PT}Zzh^+q92Z!wUI
zNg)zqOV@=h(VB%V&6=>K>MMPwZ>_3LyAfj|L%&PrZi?GF%0;fTCZJMkn>L}9L98~C
ziPyB(l-U#5#V!|jA9ZuWx&`#jRtC}c9Q2)X<^|r_APHQvj}LiYk363-UZg9g%jJ9S
zM(BcJ$KA)f=@wfX-t#%@M(?A0w!`OecT8z|?ds9x#W)Yyie2bN9Ccie+;-^UpWxS+
z%4_dL3kA5!&9FZOn-Bfoj_U?jyBoQk#d?T;oc5E%VX&N!zb)Xf4?Jkm{0`oAQS!Ce
zDZ1Gv1Q1LeIELC)aaywrGQ@{O%W&AT3%XoxWm<91eKFfxh`%N7IA)o<kDn~Z5lxh$
zQp?d^m>6F(&fb8rgf#4pCtfHykBj1LqCFoG){@i$w3J%1wisbWas7A^R!g*Xd@m!c
zU;W|u_UM3=`Co6@T4?|L!AD>I*Du;vCyEhPE3%BR7~5A}sS|DfK8P_By^cQ&;tri&
zoK}W*m@yM=16NI@EjSreuHmV#LVDkJ^l$|I?1K&R5^&2qj5QS7rgJ6BVJ}kS{@6wV
zHgtDbn}=DE{N<%svh)aO@>YACZQP0@K%OP>B(oo_(+^gXD({IFxd+y@Gc3otlhs*=
z8jPPtr_g@nAL)(zCT+PBWp<<8eUp}qcQlhpTWaIFK!?<M>^=w|?W4oVTBsH!Ol>TF
zcD;q>oO=CX-_gEis%<+<O8ZGW`ZSC>w$?7qd-8v2M;}Shj+X9JBfCAG9i8!h?o_$q
zP(<*59}!T0smE_27@(nMdgONxJQ)8zcfR9+-v^cPK(ubg)8m=%XFMS9CGS<^cKjb8
z@8#D!*Znp)FB}4vC4c02zSsSlr1M`Zeq7uKM0Tdyy1yNEY1aF(?%O_m`qt<l7??kO
zZR_>vwH?o%ez_&Xe^UrgTIV1;;Xa^r-yKC5@yP+URy;YVdfHZ6v-(K^e+NSCs;5Au
zwf#>{JS`pn>~iA$O48S?dJb2;W;{kl|B!MObc?4w|MeMfcy2m{T~_5;M#i6IRF%2|
z5%YkH^?h_bg!no737IEm)BK59RjJ3X8;?5c_B=Hhbo5&pe>bcA?TqIbE3mzu%I{<o
z{mwSgyQ#Dt{Ra2TW^VzedNy$g5&Ite<AFbsKwa7qB@qw-5fA|p5CIVo0TB=Z5fA|p
z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo
z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z
z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p
z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo
z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z
z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIW*uL%4HR}zED

literal 0
HcmV?d00001