What is Mimikatz?
Mimikatz is an open-source tool that hackers use to steal credentials and other sensitive data from compromised Windows computers. It breaks Windows functionality and allows malicious users to access a system’s memory and security tokens, such as Kerberos tickets, which later can be used to gain unauthorized access to restricted information. Mimikatz extracted credentials usually come in the shape of a hash or plaintext password.
The Mimikatz application was first developed in 2007 by French ethical hacker Benjamin Delpy, who wanted to demonstrate Windows authentication system vulnerabilities. Despite being created almost two decades ago, Mimikatz is still widely used among malicious actors and has been expanded and developed in several ways.
Hackers use Mimikatz to perform attacks like pass the hash and pass the ticket, which allow them to access victims’ systems with stolen credentials. It is a dangerous tool in the bad actors’ hands that may lead to serious security breaches and sensitive and confidential data theft. Therefore, it is important for companies and organizations to take every precaution to protect their systems against Mimikatz, such as through the use of security patches, up-to-date software, and multifactor authentication.
How Mimikatz became a hacking tool
Hackers started using Mimikatz to exploit a Windows feature called WDigest, which is intended to make it easier for Microsoft users to verify their identity when accessing apps over the internet. To be precise, WDigest remembers login credentials and reuses them automatically.
In 2011, when Benjamin Delpy first launched a Mimikatz attack on Windows systems, Microsoft rejected his warning, claiming that this was not an actual vulnerability because the hacker still needed access to admin privileges before obtaining passwords stored in a system. However, hackers were still very interested in using Mimikatz to exploit Microsoft authentication software to gain administrative privileges, steal encrypted passwords, and use infected computers to access multiple devices on a network. It has since been used to carry out high-profile attacks, including the famous DigiNotar and WannaCry ransomware attacks.
Even though Mimikatz is a dangerous tool, it is not necessarily destructive. Cybersecurity professionals and penetration testers worldwide use this legitimate tool to test and audit systems. However, its prevalence among hackers has earned it a reputation as a dangerous hacking tool.
What can the Mimikatz tool do?
Mimikatz is a tool whose primary purpose is to extract sensitive information from the Windows operating system. Here are some of the things the Mimikatz tool is capable of:
- Pass the hash. Attackers use stolen password hashes to break into other systems, allowing them to move inside a network without the actual password.
- Overpass the hash. The attacker passes a unique key obtained from a domain controller, authenticates as the privileged user, and gains access to sensitive resources, such as databases, servers, and other critical systems.
- Pass the ticket. Hackers use Mimikatz to break the Kerberos protocol. It passes the Kerberos ticket to another computer, allowing them to impersonate any user account and access any resource.
- Pass the key. This type of attack is another variation of pass the hash. The attacker extracts the encryption key to break into systems instead of the password hashes and obtains sensitive credentials.
- Kerberos tickets manipulation. Mimikatz can manipulate golden and silver Kerberos tickets to gain access to systems and services protected by Kerberos authentication.
Although the Mimikatz tool is often used for malicious purposes and should be carefully monitored to prevent unauthorized access to systems and data, cybersecurity professionals use it for legitimate purposes such as penetration testing and forensic analysis.
Is Mimikatz malware?
Mimikatz is not malware. However, it is often used as part of malicious attacks and is therefore considered a dangerous hacking tool. Malicious actors use it to extract sensitive information from Windows operating systems, such as passwords, usernames, and domain information, which may lead hackers to gain unauthorized access to apps and systems.
Although hackers often use the Mimikatz tool, it is not illegal. Cybersecurity professionals and testers use it to handle patch management, deal with privileged access, and detect system vulnerabilities to prevent hacking and malware.
How to protect yourself from Mimikatz
Here are a few security measures that you can take to prevent Mimikatz attacks:
- Disable WDigest. WDigest stores your passwords, which makes it an exploitable feature. Therefore, disabling this authentication protocol can reduce the chances of hackers launching a Mimikatz attack against you. Edit the registry to disable WDigest so attackers can no longer exploit this vulnerability to steal passwords.
- LSA protection. Windows uses Local Security Authority (LSA) subsystems to validate user accounts and remote logins. Hackers exploit this service to access sensitive unencrypted data, such as passwords and Kerberos tickets. LSA protection prevents unauthorized access to sensitive data. Enabling LSA protection prevents unauthorized access to confidential data by limiting access to the LSA process and data structures, making it more difficult for attackers to run Mimikatz attacks successfully.
- Debug privilege. Windows systems grant the administrator the privilege to debug the system. Therefore, Mimikatz requires debug permission to extort sensitive data from the system’s memory. Removing debug privileges from user accounts may help you limit the ability of attackers to carry out Mimikatz attacks and access encrypted login data and other sensitive information.
- Credential caching. Windows logs login credentials on the local system to speed up future user logins. However, cybercriminals can access those cached credentials by running Mimikatz attacks on local systems. Disabling credential caching can prevent attackers from accessing stored credentials and make it more difficult for them to carry out successful Mimikatz attacks.
- Keep your systems up to date. Ensure your Windows security, operating system, and all software are updated with the latest security patches. This can help eliminate vulnerabilities that Mimikatz exploits.
- Use strong and unique passwords. Use strong, complex, and unique passwords that are difficult to guess or crack. Under no circumstances use such passwords as “password” or “123456.”
- Implement multifactor authentication. Set up multi-factor authentication (MFA) to add a layer of security to your accounts and systems. This will help protect your accounts from hackers even if they already have your login credentials.
- Use privileged access management. Implementing privileged access management into your company’s cybersecurity infrastructure will help you monitor and control system access. This can prevent cyberattackers from gaining administrator privileges to your systems and sensitive data.
- Use anti-malware software. You can detect and prevent malware attacks, including those that use Mimikatz, by installing and regularly updating your antimalware software.
These security measures can help keep your systems safe from Mimikatz attacks and other cyber threats.
Endpoint protection and EDR
Unauthorized access to endpoints is one of the leading causes of data breaches. Use endpoint protection and security software to detect and block known Mimikatz binaries, implement real-time monitoring with EDR to detect suspicious behavior, enable threat intelligence feeds, use behavioral analysis techniques, and keep your software updated.
User and event behavioral analytics
User and event behavioral analytics can help detect abnormal behavior in internal systems and user accounts. Monitoring system logs for suspicious activity, such as failed login attempts and unusual behavior by authorized users, can help prevent Mimikatz attacks. It identifies normal behavior, monitors for unusual activity, flags suspicious activity, and provides forensic data in the event of a breach.