Unravelling a Mimikatz campaign

This is a short blog analyzing some artifacts left over by a Mimikatz operator's campaign. Background While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1). The threat actor's server was hosted on DigitalOcean AS14061 (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team. Figure 1: Mimikatz opendir The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed. im.ps1 (Invoke-Mimikatz PowerShell script) https://www.virustotal.com/gui/file/1b441fde04d361a6fd7fbd83e969014622453c263107ce2bed87ad0bff7cf13f mimidrv.sys (signed Windows Driver Model (WDM) kernel mode software driver) https://www.virustotal.com/gui/file/f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5 mimikatz.exe