Windows Server

Prevent Mimikatz | Lithnet Idle Logoff



INTRO

Do you make sure to logout of your sessions when using Windows? If not you could open the systems you manage to a Mimikatz attack and cause breaches.

Mimikatz is a tool that can be used to extract passwords and other sensitive data from Windows systems. It is an open-source application that can be used by both attackers and security professionals:

  • Attackers: Use Mimikatz to steal credentials and gain access to systems and networks. Mimikatz can be used to bypass authentication measures like multi-factor authentication. Attackers can also use Mimikatz to perform attacks like pass the hash and pass the ticket.
  • Security professionals: Use Mimikatz to detect and exploit vulnerabilities in networks. 

MANAGING SERVERS

The way I went about this was using a third-party solution called Lithnet Idle Logoff. This will put a prompt on the screen and automatically logout of user sessions. You can configure with Group Policy and you can attach a WMI filter to your GPO to only apply to the servers you want if only targeting servers.

For the WMI Filter you can configure as follows:

Namespace: root\CIMv2
Query: select * from Win32_ComputerSystem where Name LIKE "WR-SVR-VM-DC" OR Name LIKE "WR-SVR-VM-FS

You can use OR and just keep adding more servers if needed.

SCRIPTS

Install Lithnet Idle Logoff:

This script will download, install the program, and also install the GPOs.

PowerShell
# Define the URLs of the files to download.
$URL1 = "https://github.com/lithnet/idle-logoff/releases/download/v1.2.8134/lithnet.idlelogoff.setup.msi"
$URL2 = "https://github.com/lithnet/idle-logoff/archive/refs/tags/v1.2.8134.zip"

# Create directory.
New-Item -Path 'C:\TEMP' -ItemType Directory -Force -WarningAction SilentlyContinue -ErrorAction SilentlyContinue | Out-Null

# Define the destination folder for extraction.
$Destination = "C:\TEMP"

# Download the files from the URLs.
$DownloadPath1 = Join-Path $Destination "lithnet.idlelogoff.setup.msi"
$DownloadPath2 = Join-Path $Destination "idle-logoff-1.2.8134.zip"
Invoke-WebRequest -Uri $URL1 -OutFile $DownloadPath1
Invoke-WebRequest -Uri $URL2 -OutFile $DownloadPath2

# Install Lithnet Idle Logoff.
Start-Process msiexec.exe -ArgumentList "/i `"$DownloadPath1`" /quiet /norestart" -NoNewWindow -Wait

# Extract the ZIP archive.
Expand-Archive -LiteralPath $DownloadPath2 -DestinationPath "$Destination\idle-logoff-1.2.8134" -Force

# Copy Policy Definitions to the correct locations.
Copy-Item -Path "$Destination\idle-logoff-1.2.8134\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" -Destination "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions" -Recurse -Force

Copy-Item -Path "$Destination\idle-logoff-1.2.8134\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" -Destination "C:\Windows\PolicyDefinitions" -Recurse -Force
  • You also need to install Lithnet Idle Logoff for each client computer if wanting to target those. Domain-joined computers will pull the GPOs from the SYSVOL location after you push this script on the PDCs. To apply this script to domain-joined client computers, remove the last two commands, if applying to non-domain joined computers, remove the second to last command.

TASK SCHEDULER

Another option is to configure Task Scheduler to run a script every so often, or use RMM. I didn’t have good luck with this method in testing.

Logoff – Uptime Beyond 5 Days – Users Logged In:

PowerShell
Function Get-TimeStamp {

    Return "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date)     
}

$LastBootUpTime = Get-WmiObject Win32_OperatingSystem
$Uptime = ((Get-Date) - ($LastBootUpTime.ConvertToDateTime($LastBootUpTime.LastBootUpTime))).Days
 
If($Uptime -gt 5) {

     Write-Output "$(Get-TimeStamp) - Uptime = $Uptime Days" >> C:\TEMP\logoff.log
     Write-Output "$(Get-TimeStamp) - Logoff Initiated" >> C:\TEMP\logoff.log
     Shutdown /l

    }
    Else {
        Write-Output "$(Get-TimeStamp) - Uptime = $Uptime Days" >> C:\TEMP\logoff.log
        Write-Output "$(Get-TimeStamp) - An error has occured. Logoff was not initiated." >> C:\TEMP\logoff.log
}

CONCLUSION

Well, that’s a wrap! Hopefully this helps.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *