Fix corrupted Windows System Registry by Mimikatz | Generic Malware Containment Guide
What is Mimikatz and How it affected the system
Red Team experts use Mimikatz to compromise windows computers and extract user information from memory. It is an extremely powerful open-source post-exploitation tool which makes lateral movement easy for attackers.
My work as a Security Analyst requires a lot of Red Teaming. I got a project to test various SIEMs (to name); Elastic SIEM, Splunk, Wazuh and SumoLogic. To test these SIEMs, I came up with a routine where I would use Red Team Automation tool — Caldera, to attack one victim (a windows 10 machine) while the SIEM agents monitor the system for malicious events. One such ability of Caldera which falls under MIRTE Framework’s Tactic “Command and Control” and Technique “Ingress Tool Transfer”. Here, the Caldera Agent installed in victim machine “SandCat” downloads Mimikatz 1.0 (often referred to as subdued version of Mimikatz) from C2C (attacker).
After a while, I started to notice that on the victim machine the shortcuts started to breakdown. I.e., any system shortcut (from taskbar such as Volume, Wifi or Windows Security) when opened, opens command prompt or calculator. When a program is opened from the run command, it behaves the same way. Since this was a dispensable virtual machine instance, I ignored it initially but after a while it started to spread. It spread to an extent where opening any folder opened command prompt. This rendered the whole instance unusable, although it did not damage any file systems which I checked using command prompt as well as opening the windows folder using the keyboard shortcut “Windows + E”.
Fix “Opening any folder or program opens Command Prompt”
Following all the generic containment steps the issue did not solve which I have discussed in the next part. Thus, given my experience in Windows Forensics, I realized it must be a small yet cleverly written code which must have broken something in system registries. Upon digging deeper into, “What happens when you double click to open a folder?”, I found that a registry command gets executed which is at “Computer\HKEY_CLASSES_ROOT\Folder\shell\open\command”.
This registry contains a couple of key-value pairs. Here, the command in the default value gets executed every time a folder is executed. Here the default value is changed to “cmd”, which by default should have been “%SystemRoot%\Explorer.exe”.
Generic Steps to Contain Malware
Since it was an old version of mimikatz, it took a while to make noticeable impact. I followed some generic steps that fall true for containing all the malwares.
1. Airgap the device from the network, disconnect yourself from the internet. If the compromised system contains important data, start creating backup.
2. Close all the unwanted processes by switching to safe mode.
3. Monitor task manager for suspicious processes.
4. Delete all the temporary files.
5. Check add or remove programs to find any unknown installations.
6. Run Windows Defender Offline Scan if nothing is found. Download Malware Scanners from another device and plug it in via a pen drive. (Format the pen drive immediately)
7. As a preventive measure, reinstall all the affected programs.