Mimikatz
Post-exploitation tool for extracting Windows credentials from memory, enabling Pass-the-Hash, Golden Ticket, and DCSync attacks.
Continue your mission
Post-exploitation tool for extracting Windows credentials from memory, enabling Pass-the-Hash, Golden Ticket, and DCSync attacks.
# Mimikatz
Mimikatz is a post-exploitation tool created by Benjamin Delpy that extracts plaintext passwords, Kerberos tickets, PIN codes, and hashes from Windows memory. Originally developed to demonstrate weaknesses in Microsoft's authentication protocols, Mimikatz has become one of the most impactful security tools ever created. It is used by red teams, penetration testers, and unfortunately by real-world threat actors in nearly every major breach involving Windows environments.
The tool exists because Windows stores authentication credentials in memory for performance and user experience reasons. When you log into a Windows domain, your credentials remain in the Local Security Authority Subsystem Service (LSASS) process to enable single sign-on to network resources. This design choice, optimized for usability, creates a fundamental security vulnerability that Mimikatz exploits.
Mimikatz fits into the broader category of credential harvesting tools, but its impact extends far beyond simple password theft. It enables lateral movement techniques like pass-the-hash and pass-the-ticket attacks, privilege escalation through Golden and Silver Ticket attacks, and persistence mechanisms that can survive password changes. The tool has forced a fundamental rethinking of Windows domain security architecture and remains the primary driver behind Microsoft's implementation of modern credential protection technologies like Credential Guard and Windows Defender Remote Credential Guard.
Mimikatz operates through several modules, each targeting different aspects of Windows credential storage and authentication mechanisms. Understanding these modules is essential for both attackers seeking to abuse them and defenders working to detect and prevent their use.
The sekurlsa module is Mimikatz's core functionality. It reads directly from LSASS process memory to extract plaintext passwords, NTLM hashes, and Kerberos tickets. When a user logs into Windows, their credentials are stored in LSASS memory space to enable seamless access to network resources. The sekurlsa::logonpasswords command dumps these credentials for all logged-on users. On older Windows versions (before Windows 8.1 and Server 2012 R2), this includes plaintext passwords. On newer systems with WDigest disabled by default, it primarily extracts NTLM hashes and Kerberos tickets, though plaintext passwords may still be available for certain authentication scenarios.
The kerberos module enables some of Mimikatz's most powerful attacks against Active Directory environments. Golden Ticket attacks use the kerberos::golden command to forge Ticket Granting Tickets (TGTs) using the KRBTGT account hash. Since domain controllers trust any ticket encrypted with the KRBTGT key, these forged tickets provide unlimited domain access for up to 10 years (the default maximum ticket lifetime). Silver Ticket attacks (kerberos::silver) forge service tickets for specific services, allowing targeted access without contacting domain controllers. The Overpass-the-Hash technique (sekurlsa::pth) uses stolen NTLM hashes to request legitimate Kerberos tickets, effectively converting hash-based attacks into ticket-based attacks that bypass many detection mechanisms.
The lsadump module extracts secrets from various Windows credential stores. The lsadump::sam command dumps password hashes from the Security Account Manager (SAM) database for local accounts. The lsadump::secrets command extracts LSA secrets, including service account passwords, cached domain credentials, and machine account passwords. Most significantly, lsadump::dcsync simulates a domain controller replication request to extract password hashes for any domain account directly from Active Directory. DCSync is particularly dangerous because it operates over legitimate RPC protocols and doesn't require direct access to domain controller files.
The crypto module handles certificate-based attacks. Windows stores private keys for user and machine certificates in memory and on disk. Mimikatz can extract these private keys (crypto::capi, crypto::cng) and export certificates with their private keys (crypto::certificates). This capability enables attackers to impersonate users and machines in environments using certificate-based authentication, including smart card logon and certificate-based VPN access.
Credential delegation attacks exploit Windows features designed to enable seamless access to network resources. The sekurlsa::tspkg command extracts credentials from Terminal Services Provider (used for RDP), while sekurlsa::wdigest targets the WDigest authentication provider. The misc::memssp command installs a malicious Security Support Provider (SSP) that logs plaintext credentials for future use, providing persistent credential harvesting.
Mimikatz requires elevated privileges for most operations. LSASS process access requires local administrator rights or SYSTEM privileges. However, some techniques like DCSync require domain-level privileges (Domain Admin, Enterprise Admin, or accounts with DS-Replication-Get-Changes permissions). The tool can operate in-memory without touching disk, making it difficult to detect through traditional file-based antivirus scanning.
Mimikatz fundamentally changed Windows domain security by proving that credential storage in memory creates an unsolvable security problem under the traditional Windows authentication model. Its impact extends far beyond its technical capabilities to reshape how organizations architect, deploy, and defend Windows environments.
From a business continuity perspective, Mimikatz enables attackers to move laterally through Windows domains with unprecedented speed and stealth. Traditional perimeter security becomes irrelevant when an attacker with local administrator access on any domain-joined machine can extract credentials for other users and escalate to domain-wide compromise within hours. The tool's DCSync capability means that securing domain controllers at the network level is insufficient; attackers can extract the entire Active Directory password database from any compromised machine with appropriate privileges.
The financial impact of Mimikatz-enabled breaches is substantial. The tool appears in virtually every major ransomware deployment against Windows environments. Attackers use credential harvesting to move laterally, identify high-value targets like domain controllers and backup systems, and deploy ransomware across entire organizations simultaneously. The 2017 NotPetya outbreak, which caused over $10 billion in damages, used Mimikatz-style techniques to spread laterally through Windows networks after initial compromise.
Organizations often misunderstand Mimikatz as simply a password cracking tool. This misconception leads to ineffective countermeasures focused on password complexity rather than fundamental architectural changes. Mimikatz doesn't crack passwords; it extracts them from memory or bypasses password authentication entirely through hash and ticket attacks. Strong passwords provide no protection against Mimikatz if the user has logged into a compromised system.
The tool has driven significant changes in Microsoft's security architecture. Credential Guard uses hardware-based virtualization to isolate LSASS credentials from the main operating system. Protected Users group prevents certain types of credential delegation for high-privilege accounts. Local Administrator Password Solution (LAPS) rotates local administrator passwords to prevent lateral movement using shared local accounts. Windows Defender Remote Credential Guard protects credentials during RDP sessions. These technologies exist specifically because of vulnerabilities that Mimikatz demonstrated and exploited.
For security operations centers, Mimikatz detection is a critical capability. However, the tool's ability to operate entirely in memory and use legitimate Windows APIs makes detection challenging. Effective detection requires monitoring for LSASS process access, unusual Kerberos ticket requests, DCSync replication activity, and anomalous authentication patterns rather than trying to identify the tool itself.
CDA approaches Mimikatz through the Information and Application Technology (IAT) domain of the Protection Dynamics Model, treating it as a fundamental design flaw in credential-based authentication systems rather than a malware problem. The tool demonstrates why Zero Possession Architecture (ZPA) principles are essential: traditional Windows authentication violates "possess nothing" by storing credentials in memory and "trust nothing" by accepting previously validated credentials without continuous verification.
The IAT domain owns Mimikatz risk because the vulnerability exists in the authentication architecture itself. While Tools, Infrastructure, and Data (TID) practitioners often focus on detecting Mimikatz execution, IAT recognizes that the fundamental problem is Windows' design decision to cache credentials for usability. This architectural flaw cannot be solved through detection and response; it requires replacing credential-based authentication with possession-free alternatives.
CDA's ZPA methodology fundamentally differs from conventional Mimikatz countermeasures. Traditional approaches focus on protecting credentials through technologies like Credential Guard or detecting credential extraction through LSASS monitoring. ZPA eliminates the problem by removing credentials from the equation entirely. Instead of storing passwords or password-equivalent tokens in memory, ZPA-based authentication continuously validates identity through external authoritative sources, device attestation, and behavioral analysis.
Under ZPA, the question changes from "how do we protect stored credentials?" to "why are we storing credentials at all?" Modern identity providers like Azure AD with conditional access policies, Google Cloud Identity, or Okta with device trust can gate access to resources without placing credential material on endpoint devices. Certificate-based authentication with hardware-backed private keys (TPM, FIDO2) provides cryptographic identity without password equivalents in memory.
CDA's approach recognizes that Mimikatz represents a category of tools rather than a single threat. WCE (Windows Credentials Editor), LaZagne, Covenant, and dozens of other tools exploit the same fundamental design flaw. Focusing countermeasures on Mimikatz specifically misses the broader architectural problem. ZPA addresses the entire category by eliminating the credential stores that these tools target.
The methodology extends beyond endpoint authentication to infrastructure design. CDA advocates for privileged access management (PAM) solutions that provide just-in-time credential issuance rather than persistent privileged accounts. Administrative access should be gated through external identity providers with hardware-backed authentication, time-limited access tokens, and session recording. This approach eliminates the high-value credential targets that make Mimikatz so effective for privilege escalation.
• Mimikatz exploits fundamental Windows authentication design, not software bugs, making it impossible to patch away the underlying vulnerability without architectural changes.
• The tool's impact extends far beyond password theft to enable Golden Tickets, DCSync attacks, and other techniques that bypass traditional authentication entirely.
• Effective defense requires eliminating credential storage through Zero Possession Architecture rather than trying to protect stored credentials or detect their extraction.
• Detection strategies must focus on authentication anomalies and lateral movement patterns rather than trying to identify Mimikatz execution directly.
• Modern Windows security features like Credential Guard provide mitigation but not elimination of Mimikatz risks; true protection requires moving beyond credential-based authentication.
• Pass-the-Hash Attacks • Active Directory Security Architecture • Credential Guard and Windows Security Features • Privileged Access Management (PAM) • Zero Trust Authentication Models
• Delpy, Benjamin. "Mimikatz." GitHub repository and technical documentation. https://github.com/gentilkiwi/mimikatz
• MITRE ATT&CK Framework. "T1003 - OS Credential Dumping." MITRE Corporation. https://attack.mitre.org/techniques/T1003/
• National Institute of Standards and Technology. "SP 800-63B: Authentication and Lifecycle Management." NIST, 2017.
• Microsoft Security Team. "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques." Microsoft Corporation, 2014.
• SANS Institute. "Windows Credential Attacks and Mitigation." SANS Reading Room, 2019.
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.