Mimikatz
Malware⚠️ Overview
Mimikatz is a post-exploitation credential-dumping tool first released in 2007 by French security researcher Benjamin Delpy (alias gentilkiwi). It is not a self-propagating malware family but is classified as a credential theft utility widely weaponized by threat actors including ransomware gangs, nation-state APTs, and penetration testers. Its source code is publicly available on GitHub under the MIT license, and it has been incorporated into numerous other frameworks such as Metasploit, Cobalt Strike, and Empire.
🔧 Technical Capabilities
Mimikatz extracts credentials from Windows memory, including plaintext passwords from LSASS (Local Security Authority Subsystem Service) via the sekurlsa module, NTLM hashes, Kerberos tickets (Golden/Silver Ticket attacks), and DPAPI secrets. It leverages multiple attack vectors: pass‑the‑hash, pass‑the‑ticket, and over‑pass‑the‑hash for lateral movement, and exploits WDigest (enabled by default on pre‑Windows 8.1 systems) to retrieve cleartext passwords. The tool can also manipulate Kerberos encryption keys, generate forged tickets, and extract domain cached credentials. It employs evasion techniques such as DLL side‑loading, process injection (e.g., into lsass.exe), and reflective loading to bypass antivirus detection. C2 infrastructure is not inherent to Mimikatz; it is typically delivered as a payload by droppers (e.g., via phishing emails or exploit kits) and executed in memory. Persistence is not a core feature, but adversaries often pair Mimikatz with scheduled tasks or registry run keys to re‑extract credentials after system reboots.
📜 History & Notable Incidents
Mimikatz gained widespread notoriety after its use in the 2017 NotPetya outbreak, where attackers used it to steal admin credentials and spread laterally across organizations. The tool was also identified in the SolarWinds supply‑chain attack (2020) as part of TEARDROP payloads, and in the 2021 Kaseya VSA ransomware incident (via REvil) to escalate privileges. No CVEs are directly associated with Mimikatz, but it exploits well‑known Windows authentication weaknesses such as the KMSP (Key Management Service Protocol) and WDigest registry settings (e.g., HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLogonCredential). Law enforcement actions have not targeted the tool itself, but several takedowns of C2 infrastructure (e.g., TrickBot, Emotet) have disrupted Mimikatz distribution channels.
🔍 Detection Indicators
Known file hashes vary by version; one common hash for mimikatz.exe (v2.2.0 64‑bit) is e9a6f32c3b0e2a1d4f5c8d7e6b9a0c1f2d3e4f5a (SHA1; example only – analysts should verify via official repositories). Behavioral signatures include lsass.exe process access (e.g., PROCESS_VM_READ), creation of dump files (*.dmp) in suspicious locations, and unexpected WinDbg or procdump usage. Network IOCs are tool‑specific; Mimikatz does not generate unique traffic unless embedded. Registry key modifications such as HKLMSYSTEMCurrentControlSetControlLsaDisableRestrictedAdmin and HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionslsass.exe can indicate attempts to weaken LSA protection. The MITRE ATT&CK technique T1003.001 (Credential Dumping: LSASS Memory) directly covers Mimikatz behavior.
☠️ Risk & Impact
Mimikatz enables credential theft that leads to lateral movement, privilege escalation, and full domain compromise, often resulting in data exfiltration and ransomware deployment. High‑impact incidents include the 2018 Olympic Destroyer attack (Winter Olympics) and multiple breaches in the financial services and healthcare sectors, where attackers used stolen VPN or domain admin credentials to pivot across networks. The U.S. CISA and UK NCSC have listed Mimikatz as a top‑tier threat indicator in their joint advisory on credential theft (AA22‑074A).
🛡️ Mitigation
Defenders should enable Windows Defender Credential Guard and Remote Credential Guard to isolate LSASS secrets, apply Microsoft’s KB2871997 (which removes WDigest plaintext storage), deploy LSA protection (via RunAsPPL registry key), and use EDR solutions with behavioral detections for LSASS memory access. Microsoft Security Baselines and the Sysmon event ID 10 (process access) can detect Mimikatz execution.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.