Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers.
Mimikatz, described by the author as just “a little tool to play with Windows security,” is an incredibly effective offensive security tool developed by Benjamin Delpy. It is used by penetration testers and malware authors alike. The destructive 2017 NotPetya malware rolled leaked NSA exploits like EternalBlue together with Mimikatz to achieve maximum damage.
Originally conceived as a research project by Delpy to better understand Windows security, Mimikatz also includes a module that dumps Minesweeper from memory and tells you where all the mines are located.
Mimikatz is not difficult to use, and Mimikatz v1 comes bundled as a meterpreter script as part of Metasploit. The new Mimikatz v2 upgrade has not yet been integrated into Metasploit as of this writing.
The name “mimikatz” comes from the French slang “mimi” meaning cute, thus “cute cats.” (Delpy is French and he blogs on Mimikatz in his native language.)
How does Mimikatz work?
Mimikatz exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also lets Mimikatz exploit this feature by dumping memory and extracting the passwords.
In 2013, Microsoft made it possible to disable this feature as of Windows 8.1, and it is disabled by default in Windows 10. However, Windows still ships with WDigest, and an attacker who gains administrative privileges can simply turn it on and run Mimikatz.
Worse, so many legacy machines around the world run older versions of Windows that Mimikatz is still an incredibly powerful too and will likely remain so for many years to come.
History of Mimikatz
Delpy discovered the WDigest flaw in Windows authentication in 2011, but Microsoft brushed him off when he reported the vulnerability. In response, he created Mimikatz — written in C — and lobbed the binary onto the internet, where it quickly gained popularity among security researchers, not to mention unwanted attention from governments around the world, resulting in the eventual release of the source code on GitHub.
Mimikatz was almost immediately used by nation-state attackers, the first known case being the 2011 hack of DigiNotar, the now-defunct Dutch certificate authority, which went bankrupt as a result of the intrusion. The attackers issued bogus certs for Google and used them to spy on the Gmail accounts of several hundred thousand Iranian users.
The security tool has since been used by malware authors to automate the spread of their worms, including the aforementioned NotPetya attack and the 2017 BadRabbit ransomware outbreak. Mimikatz will likely remain an effective offensive security tool on Windows platforms for many years to come.
How to defend against Mimikatz
Defending against an attacker’s use of Mimikatz post-exploitation is challenging. Since an attacker must have root access on a Windows box to use Mimikatz, it’s already game over in some ways. Defense therefore becomes a question of containing the damage and limiting the resulting carnage.
Reducing the risk of an attacker with administrator privileges from accessing in-memory credentials using Mimikatz is possible and worth the trouble, however. The big take-away is to limit admin privileges to only users who actually need it.
Upgrading to Windows 10 or 8.1, at least, is a start and will mitigate the risk of an attacker using Mimikatz against you, but in many cases this is not an option. Hardening the Local Security Authority (LSA) to prevent code injection is another proven strategy to mitigate the risk.
Turning off debug privileges (SeDebugPrivilege) can also be of limited effectiveness, as Mimikatz uses built-in Windows debugging tools to dump memory. Disabling WDigest manually on older, unpatched versions of Windows will slow down an attacker for, oh, a minute or two — still worth doing, though.
An unfortunately common practice is the reuse of a single administrative password across an enterprise. Ensure that each Windows box has its own unique admin password. Finally, on Windows 8.1 and higher running LSASS in protected mode will make Mimikatz ineffective.
Detecting the presence and use of Mimikatz on an enterprise network is not a panacea, either, as current automated detection solutions do not boast a high success rate. The best defense is likely a good offense: Test your own systems with Mimikatz regularly and have an actual human monitor activity on your network.
Join the newsletter!