Mimikatz
What is Mimikatz?
MimikatzAn open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
Mimikatz is a credential-access tool created by Benjamin Delpy (gentilkiwi) to demonstrate fundamental Windows authentication weaknesses, particularly in LSASS memory and the SSPI providers (WDigest, Tspkg, Kerberos, MSV). It can dump credentials, forge Kerberos Golden and Silver tickets, perform pass-the-hash and pass-the-ticket, and manipulate certificates. While originally a research project, it became a staple of red-team toolkits and is heavily abused by ransomware actors after initial domain access. Modern Windows defenses (Credential Guard, LSA Protection, EDR, restricted admin mode, tiered administration) significantly reduce its impact, but it remains an essential benchmark for detection engineering.
● Examples
- 01
Running sekurlsa::logonpasswords to dump credentials from an LSASS memory image.
- 02
Forging a Golden Ticket with kerberos::golden after compromising the krbtgt account.
● Frequently asked questions
What is Mimikatz?
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS. It belongs to the Defense & Operations category of cybersecurity.
What does Mimikatz mean?
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
How does Mimikatz work?
Mimikatz is a credential-access tool created by Benjamin Delpy (gentilkiwi) to demonstrate fundamental Windows authentication weaknesses, particularly in LSASS memory and the SSPI providers (WDigest, Tspkg, Kerberos, MSV). It can dump credentials, forge Kerberos Golden and Silver tickets, perform pass-the-hash and pass-the-ticket, and manipulate certificates. While originally a research project, it became a staple of red-team toolkits and is heavily abused by ransomware actors after initial domain access. Modern Windows defenses (Credential Guard, LSA Protection, EDR, restricted admin mode, tiered administration) significantly reduce its impact, but it remains an essential benchmark for detection engineering.
How do you defend against Mimikatz?
Defences for Mimikatz typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mimikatz?
Common alternative names include: mimi, kekeo, Invoke-Mimikatz.
● Related terms
- defense-ops№ 229
Credential Access
The MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
- attacks№ 790
Pass-the-Hash
A credential-reuse attack that authenticates to Windows systems using a stolen NTLM password hash instead of the cleartext password.
- attacks№ 447
Golden Ticket
A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.
- attacks№ 1045
Silver Ticket
A forged Kerberos service ticket (TGS) created with the password hash of a target service account, granting silent access to that one service.
- attacks№ 583
Kerberoasting
An offline password attack that requests Kerberos service tickets for service accounts and cracks the encrypted portion to recover their cleartext passwords.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
● See also
- № 791Pass-the-Ticket
- № 616Living off the Land
- № 632LOLBin / LOLBAS
- № 332DLL Injection
- № 862Process Injection
- № 045AMSI Bypass
- № 1002SeDebugPrivilege
- № 1162Token Impersonation