Achieved 100% detection in 2023
Stop advanced cyber
threats with one solution
Cynet’s All-In-One Security Platform
- Full-Featured EDR and NGAV
- Anti-Ransomware & Threat Hunting
- 24/7 Managed Detection and Response
What Is Mimikatz? Everything You Need to Know
January 13, 2020
Last Updated:
November 5, 2024
Share on:
In 2011, security researcher Benjamin Delpy discovered with Windows WDigest vulnerability. This security hole allows attackers to access internal storage on a Windows system, which holds user account passwords, and also obtain the keys to decrypt them. Microsoft ignored Delpy, and he created an open-source tool that can leverage WDigest to steal passwords.
The tool has since evolved into a powerful platform for compromising user credentials, used by penetration testers and ethical hackers to test the strength of their endpoint defenses, but also by network threat actors to gain unauthorized access to Windows systems.
What is Mimikatz?
Mimikatz is an open source tool originally developed by ethical hacker Benjamin Delpy, to demonstrate a flaw in Microsoft’s authentication protocols. Simply put, the tool steals passwords. It is deployed on a Windows endpoint, and allows its users to extract Kerberos tickets and other authentication tokens from the machine.
Since then, Mimikatz has gone through many versions and has evolved into a powerful tool used by hackers to attack authentication mechanisms on Microsoft-based endpoints. The same tool is also used by penetration testers and security staff to evaluate their vulnerability to these types of attacks.
Mimikatz is still maintained by Delpy, and new versions are constantly developed to keep up with updates to Windows operating systems. You can download the latest versions on Github. There are many forks and implementations of Mimikatz, some of which are packaged in popular malicious threat kits, including NotPetya and BadRabbit. At least 20 advanced persistent threat groups have been identified using Mimikatz as part of their arsenal.
Stop advanced cyber
Rated 4.8/5
2024 Leader
Mimikatz Attack Capabilities
Mimikatz has numerous modules that let attackers perform a variety of tasks on the target endpoint. Some of the more important attacks facilitated by the platform are:
- Pass-the-Hash—obtains an NTLM hash used by Windows to deliver passwords. This allows attackers to reuse the password without having to crack the hash.
- Pass-the-Ticket—Mimikatz was famously used to break the Kerberos protocol. It can obtain a Kerberos “ticket” for a user account and use it to login as that user on another computer.
- Kerberos Golden Ticket—obtains the ticket for the hidden root account (KRBTGT) that encrypts all authentication tickets, granting domain admin access for any computer on the network.
- Kerberos Silver Ticket—exploits Windows functionality that grants a user a ticket to access multiple services on the network (via the Ticket Granting Server or TGS). The Kerberos protocol may not check the TGS key, allowing attackers to reuse the key and impersonate the user on the network.
- Pass the Key—obtains a unique key used by a user to authenticate to a domain controller. The attacker can reuse this key to impersonate the user.
Tips From the Expert
In my experience, here are tips that can help you better prevent and mitigate Mimikatz attacks on your endpoints:
- Enable LSASS credential encryption
By default, LSASS keeps sensitive credentials in memory, which Mimikatz can exploit. Encrypting LSASS credentials adds another barrier, preventing attackers from easily dumping memory and extracting plaintext passwords or hashes. - Enforce multifactor authentication (MFA)
MFA adds an additional authentication layer, making it much harder for attackers to use stolen credentials, even if they obtain them via Mimikatz. Prioritize MFA for privileged accounts and domain admins. - Implement endpoint detection and response (EDR) solutions
EDR tools can detect abnormal process behavior like memory dumping or LSASS interaction, both of which Mimikatz relies on. Ensure your EDR platform is configured to flag and block such suspicious activity. - Minimize the use of privileged accounts for daily tasks
Limiting the use of admin accounts for regular tasks can prevent attackers from easily gaining the privileges needed to run Mimikatz. Use tools like Just Enough Administration (JEA) to delegate admin privileges with minimal rights. - Audit and restrict access to LSASS
Regularly audit access to the LSASS process and restrict administrative rights to only essential users. Tools like Windows Defender Credential Guard and LSA hardening can prevent Mimikatz from accessing LSASS memory.
How Does Mimikatz Work?
The original version of Mimikatz exploited a Windows feature called WDigest that enables Single Sign On (SSO) for large numbers of enterprise users. WDigest loads encrypted passwords into memory together with their decryption key, making it possible for attackers to perform a memory dump and decrypt the passwords.
Mimikatz creator Delpy contacted Microsoft to remediate the vulnerability but was ignored, and was motivated to create his tool. Microsoft eventually allowed users to disable WDigest, starting from Windows 8,1, and in Windows 10 disabled it by default. But the feature still exists and can be enabled by an attacker who gains administrative privileges. Meaning that Mimikatz is still highly effective and can be used to attack Windows 10 endpoints.
Preventing Mimikatz Attacks
Here are a few things you can do on a Windows endpoint to prevent the use of Mimikatz in a cyber attack.
Disable WDigest
Disabling WDigest severely limits the attacker’s options in a Mimikatz attack. Legacy versions of Windows such as Windows XP are extremely vulnerable to Mimikatz because they do not make it possible to disable WDigest. On Windows 7 and Windows Server 2008, you can install a patch (KB2871997) that makes it possible to disable WDigest. On newer Windows operating systems there is a built-in ability to disable this service.
LSA protection
Windows provides the Local Security Authority Server Service (LSASS) that is used to validate local user accounts and remote logins to a Windows system. If the attacker manages to interact with this service, they can obtain unencrypted passwords stored in its memory. LSA protection is an option that prevents untrusted processes from communicating with the LSA. Before Windows Server 2012 R2 and Windows 8.1, LSA protection was disabled by default, and should be enabled to help protect against Mimikatz.
Debug privilege
By default, Windows systems grant the local administrator permission to debug the system. This privilege is used by Mimikatz to communicate with LSASS. A best practice is to disable this privilege on endpoints, because in most cases the user is not a developer and does not really need to perform debugging.
Credential caching
Windows uses a system registry variable to cache password hashes that were recently used, in case the domain controller is unavailable. Mimikatz can gain access to these cached hashes and use them to impersonate user accounts.
You should change the caching policy on endpoints to cache 0 recent passwords instead of the default which is 10. This can be defined in Windows Settings > Local Policy > Security Options > Interactive Logon.
Protecting Against Unauthorized Access with Cynet
Cynet 360 is a holistic security solution that can help with three important aspects of unauthorized access—network security, endpoint security and behavioral analytics.
1. Endpoint Protection and EDR
Unauthorized access to endpoints is a common cause of data breaches. Cynet EDR continuously monitors endpoints, so defenders can detect the active malicious presence and make swift and precise decisions on its impact and scope.
2. User and Event Behavioral Analytics
Behavioral analytics can help detect anomalous activity on IT systems or user accounts. Cynet User Behavior Analysis monitors and profiles user activity continuously, to establish a legitimate behavioral baseline and detect anomalous activity that suggests compromise of user accounts.
Learn more about Cynet 360.
