A SOC analyst is alerted that .kirbi files are being modified on a system. Which hacking tool is likely being used by an adversary on the impacted system?

If a SOC analyst is alerted that .kirbi files are being modified on a system, the hacking tool likely being used by an adversary on the impacted system is “Mimikatz.”

Mimikatz is a well-known security tool that is often used by both system administrators and attackers for various tasks related to Windows security. One of its notable capabilities is to extract Kerberos ticket granting tickets (TGTs), which are stored in files with the extension .kirbi. These TGTs can be used in “pass-the-ticket” attacks to gain unauthorized access to resources within a Windows environment. The modification of .kirbi files is a strong indicator that Kerberos tickets are being manipulated, which is a common technique employed by Mimikatz.

The other tools listed have different primary functions:

• Sqlmap: This is an automated tool for detecting and exploiting SQL injection vulnerabilities in web applications.
• Metasploit: While Metasploit can be used for a wide range of hacking activities, it is primarily known as a framework for developing and executing exploit code against remote target machines.
• Nmap: This is a network scanning tool used for network discovery and security auditing.