Prevent Mimikatz | Lithnet Idle Logoff

September 29, 2024

Table of Contents

INTRO

Do you make sure to logout of your sessions when using Windows? If not you could open the systems you manage to a Mimikatz attack and cause breaches.

Mimikatz is a tool that can be used to extract passwords and other sensitive data from Windows systems. It is an open-source application that can be used by both attackers and security professionals:

Attackers: Use Mimikatz to steal credentials and gain access to systems and networks. Mimikatz can be used to bypass authentication measures like multi-factor authentication. Attackers can also use Mimikatz to perform attacks like pass the hash and pass the ticket.

Security professionals: Use Mimikatz to detect and exploit vulnerabilities in networks.

MANAGING SERVERS

The way I went about this was using a third-party solution called Lithnet Idle Logoff. This will put a prompt on the screen and automatically logout of user sessions. You can configure with Group Policy and you can attach a WMI filter to your GPO to only apply to the servers you want if only targeting servers.

For the WMI Filter you can configure as follows:

Namespace: root\CIMv2
Query: select * from Win32_ComputerSystem where Name LIKE "WR-SVR-VM-DC" OR Name LIKE "WR-SVR-VM-FS

You can use OR and just keep adding more servers if needed.

SCRIPTS

Install Lithnet Idle Logoff:

This script will download, install the program, and also install the GPOs.

PowerShell

# Define the URLs of the files to download.
$URL1 = "https://github.com/lithnet/idle-logoff/releases/download/v1.2.8134/lithnet.idlelogoff.setup.msi"
$URL2 = "https://github.com/lithnet/idle-logoff/archive/refs/tags/v1.2.8134.zip"

# Create directory.
New-Item -Path 'C:\TEMP' -ItemType Directory -Force -WarningAction SilentlyContinue -ErrorAction SilentlyContinue | Out-Null

# Define the destination folder for extraction.
$Destination = "C:\TEMP"

# Download the files from the URLs.
$DownloadPath1 = Join-Path $Destination "lithnet.idlelogoff.setup.msi"
$DownloadPath2 = Join-Path $Destination "idle-logoff-1.2.8134.zip"
Invoke-WebRequest -Uri $URL1 -OutFile $DownloadPath1
Invoke-WebRequest -Uri $URL2 -OutFile $DownloadPath2

# Install Lithnet Idle Logoff.
Start-Process msiexec.exe -ArgumentList "/i `"$DownloadPath1`" /quiet /norestart" -NoNewWindow -Wait

# Extract the ZIP archive.
Expand-Archive -LiteralPath $DownloadPath2 -DestinationPath "$Destination\idle-logoff-1.2.8134" -Force

# Copy Policy Definitions to the correct locations.
Copy-Item -Path "$Destination\idle-logoff-1.2.8134\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" -Destination "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions" -Recurse -Force

Copy-Item -Path "$Destination\idle-logoff-1.2.8134\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" -Destination "C:\Windows\PolicyDefinitions" -Recurse -Force

You also need to install Lithnet Idle Logoff for each client computer if wanting to target those. Domain-joined computers will pull the GPOs from the SYSVOL location after you push this script on the PDCs. To apply this script to domain-joined client computers, remove the last two commands, if applying to non-domain joined computers, remove the second to last command.

TASK SCHEDULER

Another option is to configure Task Scheduler to run a script every so often, or use RMM. I didn’t have good luck with this method in testing.

Logoff – Uptime Beyond 5 Days – Users Logged In:

PowerShell

Function Get-TimeStamp {

    Return "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date)     
}

$LastBootUpTime = Get-WmiObject Win32_OperatingSystem
$Uptime = ((Get-Date) - ($LastBootUpTime.ConvertToDateTime($LastBootUpTime.LastBootUpTime))).Days
 
If($Uptime -gt 5) {

     Write-Output "$(Get-TimeStamp) - Uptime = $Uptime Days" >> C:\TEMP\logoff.log
     Write-Output "$(Get-TimeStamp) - Logoff Initiated" >> C:\TEMP\logoff.log
     Shutdown /l

    }
    Else {
        Write-Output "$(Get-TimeStamp) - Uptime = $Uptime Days" >> C:\TEMP\logoff.log
        Write-Output "$(Get-TimeStamp) - An error has occured. Logoff was not initiated." >> C:\TEMP\logoff.log
}

CONCLUSION

Well, that’s a wrap! Hopefully this helps.

WinReflection

My name is Dex Sandel, author at WinReflection, a blog which aims to help others on various IT and Christian related subjects. DON’T TREAD ON ME! The best is yet to come, and nothing can stop what’s coming!

You all have a greater destiny in Christ, should you choose to ‘follow’ Him, not just believe. Many of you feel lost, without drive, and lack a greater purpose in your life causing depression, sadness, anxiety, and loneliness. Working your 9-5 job isn’t your primary purpose. So, then what is? That’s for you to discover, but hopefully I can provide some new unlocks along your path.

What will ‘you’ do, and what will your destiny be?

John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.