Showing posts from September, 2015

Rekalling Mimikatz

I'm not really sure that everybody knows that Rekallmemory forensics framework contains a Mimikatzplugin: with this post I want to address this shortcoming, since the plugin has many good features and it can be easily extended.

behind the scenes
The act of rekall-ingMimikatz started when I met Michael Cohen in Prague (SANS DFIR 2014) and a few months later in Dublin (DFRWS 2015). Despite the fact that I learnt so much by speaking with Michael, he deserves the credits to have pushed this plugin development: he released a first version on April 2015, based on what I did with Volatility (see et voilĂ  le mimikatz offline). So by hangout-ing during the night, we co-authored the actual Rekall mimikatz plugin: it was an awesome dive in Windows memory and Rekall internals, guided by Michael who truly has a talent for explaining complicated things in a simple way.

Before going further credits and thanks must go to the awesome reverse engineering research made by Benjamin Delpy: the plugin …