Mimikatz

According to Verizon’s 2024 Data Breach Investigation Report, stolen credentials were the primary attack vector behind 80% of web application breaches and played a role in 24% of all initial breach actions. Tools like Mimikatz have become central to this epidemic of credential theft.

The massive Snowflake breach that affected 165 organisations and the Change Healthcare incident that impacted 100 million customers both relied on stolen credentials to penetrate enterprise networks. What began as a proof-of-concept security research tool has evolved into one of the most widely deployed weapons in cyber criminals’ arsenals.

Mimikatz is an open-source credential extraction tool that allows users to view and harvest authentication credentials stored in Windows memory. The application specialises in extracting plaintext passwords, password hashes, PINs, and Kerberos tickets from Windows systems that have already been compromised. Its power lies in exploiting fundamental flaws in how Windows handles authentication data in memory.

French security researcher Benjamin Delpy created Mimikatz in 2007 as a proof-of-concept to demonstrate vulnerabilities in Microsoft’s authentication protocols. Delpy initially contacted Microsoft about the security flaw, but was told it would require a machine that was already compromised. He realised the tool could be used to gain access to other non-compromised machines on a network from a single compromised system. The tool’s name comes from French slang for “cute cats”, reflecting its deceptively innocent origins.

Today, Mimikatz operates as a dual-use tool, serving both legitimate security testing purposes and malicious ones. Red teams and penetration testers rely on it to assess network vulnerabilities and simulate real-world attack scenarios. However, threat actors, ranging from ransomware groups to nation-state attackers, have adopted it as a standard component in their toolkits for lateral movement and privilege escalation across enterprise networks.

Mimikatz operates through a systematic multi-stage process that transforms a single compromised system into a gateway for network-wide access.

• Initial access and privilege escalation: Attackers first gain administrative privileges on the target system through various methods like phishing, exploiting vulnerabilities, or social engineering. Mimikatz requires elevated permissions to access sensitive memory locations where credentials are stored.
• Memory access via LSASS: The tool directly accesses the Local Security Authority Subsystem Service (LSASS) process, which manages user authentication and stores credentials in system memory. LSASS holds authentication data for all currently logged-in users and recent login sessions.
• Credential extraction and dumping: Mimikatz extracts multiple types of authentication data from memory, including plaintext passwords, NTLM password hashes, and Kerberos authentication tickets. The tool can retrieve credentials even from users who are not currently logged in but have recently accessed the system.
• Hash processing and validation: The extracted NTLM hashes undergo processing to determine their usability for authentication. Mimikatz can also crack weaker hashes or use them directly in authentication attempts without needing the original password.
• Pass-the-hash attacks: Attackers use stolen NTLM hashes to authenticate to other systems on the network without knowing the actual passwords. Pass-the-hash techniques bypass traditional password-based security controls by leveraging the hash itself as an authentication token.
• Pass-the-ticket exploitation: The tool utilises extracted Kerberos tickets to impersonate users and access network resources. Golden tickets and silver tickets can be forged to maintain persistent access across the domain infrastructure.
• Lateral movement and escalation: With harvested credentials, attackers move horizontally through the network to access additional systems and resources. Each newly compromised system becomes another source for credential harvesting, creating a cascading effect across the enterprise environment.

The use of Mimikatz is one of the most common privilege escalation attack methods. According to Matthew Gardiner, Product Marketing Manager at Proofpoint, “Mimikatz is a widely used tool that automates the retrieval of credentials from endpoints that are running Windows. As such, it is a highly effective tool for escalating privileges within a compromised system.”

Mimikatz has transcended its origins as a security research tool to become one of the most widely deployed weapons in cyber criminal arsenals. Advanced Persistent Threat (APT) groups and ransomware operators consistently integrate Mimikatz into their attack chains for post-compromise activities. The tool’s effectiveness in extracting credentials and enabling lateral movement has made it a cornerstone technique across diverse threat landscapes.

NotPetya Ransomware

The NotPetya attack represents one of the most devastating demonstrations of Mimikatz’s destructive potential when weaponized at scale. This Russian state-sponsored campaign combined a modified version of Mimikatz with the leaked NSA EternalBlue exploit to create a self-propagating weapon that caused billions of dollars in global damages. NotPetya used Mimikatz to steal Windows credentials from compromised systems, then leveraged those credentials with legitimate Windows tools like WMIC or psexec.exe to spread laterally across networks.

The attack’s success hinged on Mimikatz’s ability to extract administrator credentials from memory and exploit common network misconfigurations. Organisations with shared administrative passwords across multiple endpoints were particularly vulnerable, as a single compromised system could provide keys to the entire network. The combination of EternalBlue for initial access and Mimikatz for credential harvesting created a devastating attack chain that automated network-wide compromise.

Modern Ransomware Campaigns

Contemporary ransomware operations have standardised Mimikatz as a core component of their post-breach toolkit. Major ransomware families, including DoppelPaymer, Nefilim, NetWalker, Maze, ProLock, RansomExx, and Sodinokibi, have all incorporated Mimikatz for credential dumping and privilege escalation. These groups deploy the tool during reconnaissance phases to harvest administrative credentials for broader network access and more destructive payload deployment.

NetWalker exemplifies sophisticated Mimikatz integration through its use of PowerSploit’s Invoke-Mimikatz for fileless execution. This approach loads Mimikatz directly into memory without writing files to disk, making detection significantly more challenging. The harvested credentials are then used to disable security tools, access critical systems, and deploy ransomware payloads with elevated privileges across the enterprise environment.

Advanced Persistent Threat (APT) Groups

Elite nation-states and sophisticated criminal groups have incorporated Mimikatz into their standard operational playbooks. Notable APT groups, including APT28 (Fancy Bear), APT29, Lazarus, Turla, Carbanak, and FIN6, regularly deploy custom implementations of Mimikatz techniques. These groups often develop their own methods to invoke Mimikatz functionality to evade endpoint security controls and ensure attack success.

APT29 demonstrates advanced Mimikatz usage through multiple attack vectors, including LSASS memory dumping, pass-the-hash attacks, and token impersonation. The group leveraged these techniques during their sophisticated supply chain attack against U.S. government agencies, using Mimikatz to escalate privileges and maintain persistent access across compromised networks. Their integration of Mimikatz with other legitimate tools showcases how advanced adversaries blend credential theft with living-off-the-land techniques.

Cobalt Strike Integration

The Cobalt Strike framework has amplified Mimikatz’s reach by incorporating its functionality as core features accessible to less sophisticated threat actors. Cobalt Strike’s ability to invoke Mimikatz directly in memory from any appropriate process context has enabled fileless attacks that bypass many traditional security controls.

Criminal groups like Cobalt Group have built their entire operational model around this integration, using Cobalt Strike’s collaborative features to coordinate multi-stage attacks that rely heavily on Mimikatz for credential harvesting and lateral movement. The framework’s ability to execute Mimikatz without disk writes has made these attacks particularly challenging for security teams to detect and respond to effectively.

Mimikatz presents a fundamental challenge to traditional cybersecurity approaches because it weaponizes legitimate Windows functionality against itself. The tool accesses the same memory locations and API calls that legitimate system processes use during routine authentication operations, making detection extraordinarily difficult. Unlike typical malware that relies on exploiting specific vulnerabilities, Mimikatz leverages documented Windows APIs and memory structures that security tools cannot simply block without disrupting normal system functions.

“With a simple PowerShell command, threat actors can find users with the permissions they require,” warns Tim Nursall, Staff Sales Engineer at Proofpoint. “Add an off-the-shelf tool like Mimikatz into the mix, and within seconds, they can access every hash and every Active Directory privilege on the network,” he adds.

The tool’s impact extends beyond simple credential theft to undermining multifactor authentication (MFA) protection in enterprise environments. Once an authenticated user completes MFA verification, their Kerberos tickets remain valid for the session duration, and Mimikatz can extract and replay these tickets to access network resources without triggering additional MFA prompts. Golden ticket and silver ticket attacks represent particularly sophisticated techniques that exploit Active Directory trust relationships to forge authentication tickets, providing persistent access that bypasses password resets and account lockouts.

Mimikatz’s prevalence in modern attack chains underscores the critical limitations of credential-based security models and highlights the urgent need for behavioural detection capabilities. Traditional security approaches that rely on static indicators fail against tools that abuse legitimate system functionality. Organisations must implement solutions that monitor for anomalous patterns in credential usage, authentication flows, and privileged access activities while adopting zero-trust architectures that continuously validate user behaviour rather than relying solely on initial authentication success.

Effective Mimikatz detection requires a multi-layered approach that combines technical indicators with behavioral analysis to identify credential harvesting activities before they lead to network-wide compromise.

• Unusual LSASS process activity: Monitor the Local Security Authority Subsystem Service (LSASS) for abnormal memory consumption, CPU usage spikes, or unauthorised access attempts. Advanced EDR solutions can detect suspicious memory scanning patterns and calls to functions like NtReadVirtualMemory that Mimikatz uses to extract credentials from LSASS memory.
• Suspicious PowerShell execution: Watch for PowerShell Script Block Logging events (EventCode 4104) containing Mimikatz-related commands such as Invoke-Mimikatz, -dumpcreds, sekurlsa::logonpasswords, sekurlsa::pth, or kerberos::golden. These commands often appear in fileless attacks where Mimikatz functionality is loaded directly into memory without writing files to disk.
• Memory dumping tools and living-off-the-land binaries: Monitor for legitimate system tools being misused for credential theft, including procdump.exe, comsvcs.dll, psexec.exe, and wmic.exe. These tools can dump LSASS memory or facilitate remote execution of Mimikatz on other systems within the network.
• Anomalous authentication patterns: Look for unusual login activities such as multiple failed authentication attempts, logins from unfamiliar locations or at odd hours, and rapid successive logins across multiple systems. Pass-the-hash and pass-the-ticket attacks often create distinctive authentication patterns that differ from normal user behaviour.
• Process and command-line indicators: Scan running processes and command-line arguments for terms like “mimikatz”, “gentilkiwi”, “delpy”, or specific module names such as sekurlsa::tickets and lsadump::sam. However, sophisticated attackers often rename executables or use custom implementations to evade signature-based detection.
• Network traffic anomalies: Monitor for unusual SMB activity, especially SMBv1 usage, unexpected file transfers to external destinations, or large volumes of data being exfiltrated following authentication events. Modern XDR platforms can correlate these network behaviours with endpoint activities to provide comprehensive attack visibility.
• File system artefacts: Watch for suspicious file creation in temporary directories, unusual executables in system folders, or the presence of memory dump files with extensions like .dmp or .tmp. Mimikatz often leaves traces when saving credentials to disk or when attackers use dump files for offline analysis.

The shift toward behaviour-based detection has become critical because Mimikatz and similar tools exploit legitimate system functions rather than using traditional malware signatures. Modern EDR and XDR solutions leverage machine learning algorithms to establish baseline behaviours and identify deviations that indicate credential theft activities. This approach proves more effective than static signature matching, as attackers frequently modify tools or use custom implementations to evade traditional detection methods.

Preventing Mimikatz attacks requires a layered defence strategy that combines technical controls, access management, and human-focused security measures to reduce both the attack surface and the potential impact of credential theft.

Credential Protection

Modern Windows environments offer several built-in protections specifically designed to counter credential harvesting tools like Mimikatz. Windows Credential Guard uses virtualisation-based security to isolate sensitive authentication data from the operating system, making it significantly more difficult for attackers to extract credentials from memory. Local Security Authority (LSA) Protection prevents unauthorised access to the LSASS process by requiring digitally signed code to interact with authentication data.

Organisations should also disable WDigest authentication unless absolutely required for legacy applications. WDigest stores plaintext passwords in memory, providing an easy target for Mimikatz and similar tools. Disabling this protocol forces Windows to rely on more secure authentication methods that store only hashed credentials in memory.

Access Controls

Implementing strict access controls and privilege management represents the most effective long-term defence against credential-based attacks. Organisations must enforce least privilege principles by limiting domain administrator access to only essential personnel and specific tasks. Regular audits of privileged accounts help identify unnecessary permissions and reduce the attack surface available to credential theft tools.

Credential reuse across systems creates cascading vulnerabilities that amplify Mimikatz’s impact once an attacker gains initial access. Each system should use unique local administrator passwords, and privileged accounts should be segmented to prevent lateral movement between network segments. This approach contains potential breaches and limits the scope of credential harvesting activities.

Human-Centric Measures

User education remains a critical component of Mimikatz prevention because the tool requires initial system access to operate effectively. Security awareness training programmes should emphasise the recognition of phishing, social engineering tactics, and the importance of reporting suspicious activities. Users must understand that credential theft tools like Mimikatz often follow successful phishing campaigns or other human-targeted attacks.

Organisations must also address insider threat risks through background checks, access monitoring, and clear security policies. Insider threats represent a significant vulnerability because malicious employees already possess legitimate system access and may deploy Mimikatz without triggering traditional security controls. Regular security assessments and behavioural monitoring help detect potential insider misuse before it leads to widespread credential compromise.

Mimikatz’s ability to extract credentials from legitimate Windows processes and bypass MFA through ticket reuse makes it a persistent threat that exploits the very foundation of enterprise authentication systems. Effective defence requires organisations to move beyond traditional signature-based detection toward comprehensive strategies that combine technical controls like Credential Guard and LSA Protection with robust user education and behavioural monitoring. Understanding Mimikatz’s capabilities and attack patterns enables security teams to implement proactive defences that address both the technical vulnerabilities and human factors that allow credential theft attacks.

Proofpoint’s comprehensive cybersecurity platform addresses the human-centric attack vectors that often precede Mimikatz deployment through advanced email security, threat intelligence, and user behaviour analytics. The company’s solutions help organisations detect and prevent the initial compromise methods that attackers use to gain access to the system required for credential harvesting tools. Proofpoint’s threat detection capabilities provide real-time visibility into suspicious activities and credential-based attacks. Their security awareness training programmes educate users to recognise and report social engineering tactics that typically enable Mimikatz attacks. By combining technical threat prevention with human risk management, Proofpoint helps organisations build resilient defences against the evolving credential theft landscape. Contact Proofpoint to learn more.