What is Mimikatz?
How Mimikatz is used and how to protect your organization against credential-theft attacks that leverage this tool
Since the beginning of time, security analysts have been profoundly concerned with Windows security. A myriad of techniques have been published over the years that aim to weaken or circumvent its security in a variety of ways. In relation to credential harvesting on Windows, Mimikatz has become the most popular method used to learn about it, with pentesters, auditors, and even malicious actors leveraging it in their activity.
In this article, I explain what Mimikatz is, how it is used, and how to protect your organization against this powerful password-stealing tool.
What is Mimikatz?
Mimikatz is an open-source, credential-dumping application that extracts account username and password information, typically in the shape of a hash or a plain text password. It allows users to view and save authentication credentials like Kerberos tickets, which can later be used to execute lateral movement and gain access to restricted data.
The software was created by Benjamin Delpy in 2007 as a PoC with the purpose of learning how Microsoft’s authentication protocols were vulnerable to attacks.
However, in time, Mimikatz turned into one of the most powerful password stealers. It was used in a variety of attacks in recent years, from the Russian hacking of the German parliament to the multimillion-dollar bank robberies performed by the Carbanak group. Mimikatz was also utilized in conjunction with leaked NSA hacking software by both NotPetya and BadRabbit ransomware to automate attacks that infected networks and had catastrophic consequences.
“Mimikatz wasn’t at all designed for attackers. But it’s helped them,” says Delpy. “When you create something like this for good, you know it can be used by the bad side too.”
The story behind Mimikatz
Mimikatz rose to prominence as a hacking tool due to its ability to take advantage of a Windows feature called WDigest. This feature is intended to make it easier for Microsoft users to prove their identity to various internal apps or over the internet. In short, it remembers their login credentials and reuses them automatically, allowing users to only insert their username and password once.
Although Windows holds an encrypted copy of the user’s password in memory, it also keeps a copy of the hidden key used to decrypt it. In Delpy’s words,
It’s like storing a password-protected secret in an envelope with the password in the same email.
In 2011, it was the first time Delpy informed Microsoft of a security flaw that could have been abused using Mimikatz. However, he claims the corporation dismissed his notice, stating it wasn’t a true vulnerability, as malicious actors would need to obtain admin rights to a victim’s computer before being able to access the password stored in memory.
In reality, however, the Windows authentication software still was a useful tool for hackers looking to spread their malware from one computer to multiple devices on a network. If a malicious piece of software gained administrator rights, it could steal the encrypted password from memory, as well as the key to decrypt it and use them to gain access to other components inside the environment.
Delpy soon noticed Chinese users debating the use of Mimikatz and attempting to reverse-engineer it on hacker forums. And, in mid-2011, he heard for the first time that Mimikatz had been used in a government network infiltration.
In September of that year, the tool was used in the historic hack of DigiNotar, one of the certificate authorities that ensures websites using HTTPS are who they appear to be. According to cybersecurity experts at Fox-IT, the intrusion enabled the anonymous attackers to issue fake certificates, which were then used to eavesdrop on thousands of Iranians. Web browsers blacklisted DigiNotar, and the company went out of business as a result.
As Mimikatz’s popularity grew, Microsoft eventually introduced the option to disable WDigest in Windows 8.1 in 2013, effectively neutralizing Mimikatz’s most important function. By Windows 10, the exploitable feature would be disabled by default. However, to this day, Mimikatz is still successful on nearly any Windows machine, either because the targeted device is running an old version of the operating system or because the attacker can perform privilege escalation in Windows systems and activate WDigest, even though it was initially disabled.
Despite these assaults, Delpy has not backed away from Mimikatz. Instead, he has continued to refine the tool, openly talking about it and introducing additional functionality so it remains compatible with the latest Windows version and includes the most recent attacks. Delpy now notifies Microsoft months in advance before introducing a feature that exploits a serious new security flaw in Windows.
Is Mimikatz malware?
As I’ve previously explained, Mimikatz is not malware. Nonetheless, it is a highly powerful tool that can be leveraged both for nefarious and ethical purposes. Although cyber criminals use Mimikatz in credential stealing and privilege escalation attacks, a powerful EDR software will successfully eliminate it. Pentesters also use Mimikatz to find and exploit security flaws in networks so they can be addressed.
Mimikatz isn’t meant to purposely help malicious hackers, but rather highlight Windows’ security flaws. If sysadmins restrict user privileges, Mimikatz will not get a chance to obtain the admin rights it needs to spread to other endpoints and harvest additional credentials.
When Mimikatz is used as a password-stealing tool, the software itself is not the key issue here. Instead, there are various underlying cybersecurity-related issues that organizations must fix, such as properly handling patch management and dealing with PAM security.
Types of Mimikatz attacks
Mimikatz may use techniques like these to collect credentials:
Windows used to store password data in an NTLM hash. Without having to break the password, the attacker will simply use Mimikatz, which would then send the hash string to the target computer and allow the attacker to log in.
- Over-Pass the Hash (Pass the Key)
This is another form of the pass-the-hash attack technique, but in this one, the attacker will pass a unique key to imitate a victim which you can obtain from a domain controller.
It refers to storing password data in a “ticket” construct – the capability to pass a Kerberos ticket to another machine and log in with that user’s ticket.
It is the same as the pass-the-ticket attack technique, except it uses saved and encrypted login data on OS X, Linux, and UNIX systems.
- Kerberos Silver Ticket
Another pass-the-ticket attack technique – this silver ticket provides easy service usage on the network. It grants a TGS ticket which can be further used to login into any services on the network.
- Kerberos Golden Ticket
Yet another Pass-the ticket attack technique – a specific ticket for a hidden KRBTGT account, which is able to encrypt all of the other tickets. With this golden ticket, you’ll get domain admin credentials to any machine.
How to protect yourself against Mimikatz
Troy Blake proposes the following steps you can take to defend yourself against Mimikatz:
#1. Limit administrator privileges to the smallest group possible
Even if you have thousands of user accounts, only a few administrator accounts will be enough.
To keep track of your privileged accounts and easily manage admin rights requests, I recommend you deploy a Privileged Access Management tool. Heimdal’s PAM solution not only lets you efficiently manage user rights but also allows users to safely install software themselves while providing logs and audit trails for data protection and compliance. What’s more, it is the only tool on the market that de-escalates users’ rights upon threat discovery (when used in tandem with our Threat Prevention or Endpoint Protection modules).
Antivirus is no longer enough to keep an organization’s systems secure.
Heimdal™ Threat Prevention
threats before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
#2. Upgrade the schema and functional level of your forest and domain to at least 2012 R2.
This domain functional level introduces a brand-new user group known as “Protected Users.” Members of the Protected Users community, among other things, are unable to authenticate using NTLM, Digest Authentication, or CredSSP. These adjustments offer effective safeguards, rendering Mimikatz almost useless.
#3. Verify KB2871997 has been installed to apply additional required security.
The default configuration for non-protected users on Windows 7 and Windows 8 after installing this security update is to not force explicit leaked logon session credentials.
To circumvent this default, add the TokenLeakDetectDelaySecs registry dword and set it to a recommended value of 30 seconds.
#4. Stop storing passwords in memory.
Passwords would no longer be open to Mimikatz if the “UseLogonCredential” register setting is set to ‘0′ instead of the normal value of “1”
#5. Start monitoring your systems for unauthorized software and malware.
Or choose an MDR service, where cybersecurity experts can monitor your environment. Heimdal™’s XDR solution goes beyond traditional MDR, continuously inspects users using rights escalations, privileges, and app executions. Our professionals proactively supervise your ingoing and outgoing traffic and emails for advanced threats and quickly react to protect you against potential attacks. This way, you bypass attacks and improve your security, and are thus able to concentrate on your business goals, priorities, and strategies.
For more information on how to detect and defend yourself against Mimikatz attacks, I suggest you also check out the guide created by the SANS Institute.
Mimikatz will most likely remain an effective offensive and defensive tool for the years to come. However, keep in mind that the malicious actions that Mimikatz will execute require a high level of user permissions. As a consequence, we conclude that the steps to prevent the use of Mimikatz in the system should require more than just blocking the software, but also include a series of measures designed to prevent unauthorized users from executing commands with admin rights.