Since its debut in 2011, Mimikatz, designed by French security researcher Benjamin Delpy, has caused sleepless nights for many in the cybersecurity field. Originally created to showcase Windows security vulnerabilities, this potent tool has found a home within the arsenal of cybercriminals, making it one of the most powerful intrusion weapons.
Download Mimikatz from Github.com
What is Mimikatz?
Mimikatz is an open-source utility used to gather credential data from Windows systems. Despite its initial role as a demonstration tool, the darker corners of the cyber world have harnessed Mimikatz’s capabilities, transforming it into a notorious tool for bypassing system security and accessing confidential information.
Under the Hood: How Does Mimikatz Work?
The real strength of Mimikatz lies in its ability to “dump” credentials from the system. This allows it to access confidential information such as usernames, passwords, and pin codes, especially when these are stored without adequate security measures.
Access Token Manipulation
Mimikatz is renowned for its ability to manipulate Security Identifiers (SIDs) via the MISC::AddSid module. This feature allows unauthorized privilege escalation and access control bypass by appending any SID or user/group account to a user’s SID-History.
Account Manipulation
Through its LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules, Mimikatz is capable of changing the password hash of an account without knowledge of the clear text value. This capability provides a pathway for the attacker to impersonate any user.
Credential Dumping
Mimikatz’s most notorious feature is credential dumping. It thrives on acquiring account and password information from various sources, such as the Windows Credential Manager, Local Security Authority (LSA), and the Security Account Manager (SAM). Furthermore, it uses DCSync for domain replication, a feature designed for Domain Controllers (DCs).
DCSync Attack
The DCSync attack allows threat actors to masquerade as a domain controller (DC), a critical server in Windows network infrastructure. This impersonation is more than skin deep, allowing the adversary to mimic the complex domain replication process, the cornerstone of DC functionality.
So, why does a threat actor want to play the role of a domain controller? The answer lies in the treasure trove of password data that DCs hold. By exploiting the replication process, DCSync attackers can retrieve this sensitive data right from the DC’s digital vault.
But the DCSync attack isn’t an end in itself—it’s a means to a more insidious end. Typically, this attack serves as the precursor to a “Golden Ticket” attack. Why? Because DCSync allows the attacker to retrieve a very specific and powerful piece of data: the KRBTGT hash.
In essence, the KRBTGT hash is the proverbial “master key” to the kingdom, providing unrestricted access to all resources in a network. Once an attacker has this in their possession, they can create a Golden Ticket, an all-access pass to the network, making them virtually unstoppable.
Stealing or Forging Kerberos Tickets
Mimikatz also targets the Kerberos protocol, a network authentication standard used by Windows. It can create ‘Golden Tickets’ and ‘Silver Tickets’, offering cybercriminals unlimited access to network resources.
How Cybercriminals Use Mimikatz
Mimikatz has become a standard part of a cybercriminal’s toolkit. Its ability to steal and manipulate credentials makes it a valuable tool for lateral movement within a network, bypassing security measures, and achieving persistent access. Its use ranges from simple cybercrime incidents to more advanced persistent threats (APTs) conducted by state-sponsored groups.
APT Groups which used Mimikatz
| Sandworm Team | DarkHydrus | APT29 |
| APT33 | Leafminer | OilRig |
| Cleaver | Carbanak | Kimsuky |
| Wizard Spider | APT41 | APT28 |
| FIN7 | Chimera | Dragonfly |
| Earth Lusca | Cobalt Group | BRONZE BUTLER |
| LAPSUS$ | HEXANE | PittyTiger |
| Threat Group-3390 | menuPass | BackdoorDiplomacy |
| Tonto Team | Blue Mockingbird | FIN6 |
| Magic Hound | Turla | APT38 |
| MuddyWater | APT32 | GALLIUM |
| Whitefly | Thrip | Indrik Spider |
| TA505 | TEMP.Veles | Ke3chang |
| APT39 | APT1 | – |
The Variants of Mimikatz
While the original Mimikatz tool remains a potent threat, various modified versions have appeared over the years. One example is 'Invoke-Mimikatz', a PowerShell version of the tool. Other groups, like Threat Group-3390, have used a modified version called ‘Wrapikatz‘.
You might be interested in reading the Mimikatz documentation.
Mimikatz: A Valuable Asset in a Penetration Tester’s Toolkit
When it comes to securing a network, it’s important to think like a hacker. Penetration testers, or “ethical hackers,” understand this principle better than anyone. To identify vulnerabilities within a system before malicious attackers do, these professionals often turn to tools like Mimikatz.
While it’s commonly associated with cyber-attacks, Mimikatz’s original purpose was to uncover and demonstrate Windows security weaknesses. In the hands of penetration testers, it becomes a powerful instrument to evaluate an organization’s security posture. This software allows ethical hackers to test for various vulnerabilities and weaknesses in their client’s systems, in particular, issues related to credential storage and access control.
Defending Against Mimikatz
There are several other general strategies that you can follow to protect against Mimikatz:
- Update Your Systems Regularly: Microsoft has made several changes to Windows to limit Mimikatz’s effectiveness. Keeping your systems updated can take advantage of these changes.
- Least Privilege Access: Mimikatz requires high-level privileges to operate effectively. Limiting user account permissions whenever possible can help to protect your systems. Only users who need administrator privileges should have them.
- Disable WDigest: WDigest is a legacy authentication protocol, and it’s one of the things Mimikatz targets. Disabling it where possible can help to reduce the attack surface.
- Enable Credential Guard: Windows introduced a feature called Credential Guard that can help to protect against Mimikatz. It uses virtualization-based security to isolate and protect secrets.
- Monitor for Suspicious Behavior: Mimikatz leaves behind several signs of its activity that you can monitor for, including suspicious process creation events and network traffic.
- Network Segmentation: By creating zones in your network and applying security controls at each segment, you can limit an attacker’s ability to move laterally through your network.
- Use Multi-Factor Authentication (MFA): Even if an attacker manages to steal a set of credentials, MFA can prevent them from being used to access sensitive systems.
- Endpoint Detection and Response (EDR): Use an EDR solution that can detect and respond to Mimikatz and similar threats in real time.
- Regularly Change and Securely Store Credentials: Changing passwords and other credentials regularly can help prevent long-term unauthorized access. Ensure the credentials are securely stored.
- Educate Your Staff: Users should be educated about the dangers of phishing emails and other techniques that attackers use to install tools like Mimikatz.
For the Threat Hunters
Windows Event Logs can be a valuable source of information when investigating potential Mimikatz usage. Below are several Windows Event IDs that might show signals of Mimikatz usage:
- Event ID 4624: This event is generated when a logon session is created (i.e., a user logs in). Mimikatz usage often involves unexpected or unusual logins, especially with high-level privileges.
- Event ID 4648: This event is generated when a logon is attempted using explicit credentials, which may be captured in a Pass-the-Hash or Pass-the-Ticket attack.
- Event ID 4672: This event is generated when a user logs on with superuser (or admin equivalent) privileges. Since many Mimikatz functions require high-level privileges, multiple or unexpected instances of this event could be a signal of Mimikatz usage.
- Event ID 4768: This event is logged when a Kerberos Ticket Granting Ticket (TGT) is requested. Abnormal or unexpected requests can be a sign of Golden Ticket attacks.
- Event ID 4769: This event is logged when a Kerberos service ticket is requested. Like Event ID 4768, abnormal or unexpected requests can indicate a Silver Ticket attack.
- Event ID 4776: This event is logged when a domain controller validates the credentials of an account. Multiple or unexpected instances of this event could be a sign of credential dumping.
