Credential Stealers: Mimikatz

Developed in 2007, Mimikatz is mainly used by attackers to collect the credentials of other users logged in to a targeted Windows machine. It does this by accessing the credentials in memory, within a Windows process called Local Security Authority Subsystem Service (LSASS).

These credentials, either plain text, or in hashed form, can be reused to give access to other machines on a network.

Although it was not originally intended as a hacking tool, in recent years Mimikatz has been used by multiple actors for malicious purposes. Its use in compromises around the world has prompted organisations globally to re-evaluate their network defences.

Mimikatz is typically used by malicious actors once access has been gained to a host and the actor wishes to move throughout the internal network. Its use can significantly undermine poorly configured network security.

In use

Mimikatz source code is publicly available, which means anyone can compile their own versions of the tool and potentially develop new custom plug-ins and additional functionality.

Our cyber authorities have observed widespread use of Mimikatz among hostile actors, including organised crime and state-sponsored groups.

Once a malicious actor has gained local admin privileges on a host, Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users, enabling the actor to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks.

For this reason, Mimikatz has been bundled into other penetration testing and exploitation suites, such as PowerShell Empire and Metasploit.

Capabilities

Mimikatz is best known for its ability to retrieve clear text credentials and hashes from memory, but its full suite of capabilities is extensive.

The tool can obtain LAN Manager and NTLM hashes, certificates, and long-term keys on Windows XP (2003) through to Windows 8.1 (2012 R2). In addition, it can perform pass-the-hash or pass-the-ticket tasks and build Kerberos Golden Tickets.

Many features of Mimikatz can be automated with scripts, such as PowerShell, allowing an actor to rapidly exploit and traverse a compromised network. Furthermore, when operating in memory through the freely available, yet powerful, 'Invoke-Mimikatz' PowerShell script, Mimikatz activity is very difficult to isolate and identify.

Examples

Mimikatz has been used across multiple incidents by a broad range of actors for several years. In 2011 it was used by unknown hackers to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise.

More recently, Mimikatz was used in conjunction with other hacking tools in the 2017 NotPetya and BadRabbit ransomware attacks to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.

In addition, a Microsoft research team identified use of the tool during a sophisticated cyber-attack targeting several high-profile technology and financial organisations. In combination with several other tools and exploited vulnerabilities, Mimikatz was used to dump and likely reuse system hashes.

Detection and protection

Updating Windows will help reduce the information available to an actor from the Mimikatz tool, as Microsoft seeks to improve the protection offered in each new Windows version.

To prevent Mimikatz credential retrieval, defenders should disable the storage of clear text passwords in LSASS memory. This is default behaviour for Windows 8.1/Server 2012 R2 and later but can be specified on older systems which have the relevant security patches installedFootnote 6. Windows 10 and Windows Server 2016 systems can be protected by using newer security features such as Credential Guard.

Credential Guard will be enabled by default if:

  • The hardware meets Microsoft’s Windows Hardware Compatibility Programme Specifications and, Policies for Windows Server 2016 and Windows Server Semi-Annual Branch; and
  • The server is not acting as a Domain Controller.

You should verify that your physical and virtualised servers meet Microsoft’s minimum requirements for each release of Windows 10 and Windows ServerFootnote 7.

Password reuse across accounts, particularly administrator accounts, makes pass-the-hash attacks far simpler. You should set user policies within your organisation which discourage password reuse, even across common level accounts on a network.

The freely available Local Admin Password Solution (LAPS) from Microsoft can allow easy management of local admin passwords, preventing the need to set and store passwords manually.

Network administrators should monitor and respond to unusual or unauthorised account creation or authentication, to prevent Golden Ticket exploitation or network persistence and lateral movement. For Windows, tools such as Microsoft ATA and Azure ATP can help with this.

Network administrators should ensure that systems are patched and up to date. Numerous Mimikatz features are mitigated, or significantly restricted, by the latest system versions and updates. But no update is a perfect fix, as Mimikatz is continually evolving and new third party modules are often developed.

Most up-to-date antivirus tools will detect and isolate non-customised Mimikatz use and should therefore be in use to detect these instances. But hostile actors can sometimes circumvent antivirus systems by running the tool in memory, or by slightly modifying the original code of the tool. Wherever Mimikatz is detected, you should perform a rigorous investigation, as it almost certainly indicates an actor actively present in the network, rather than an automated process at work.

Several features of Mimikatz rely on exploitation of administrator accounts. Therefore, you should ensure that administrator accounts are issued on an as-required basis only. Where administrative access is required, you should apply Privilege Access Management principles.

Since Mimikatz can only capture the accounts of those logged into a compromised machine, privileged users (such as domain admins) should avoid logging into machines with their privileged credentials. Detailed information on securing Active Directory is available from MicrosoftFootnote 8.

Network defenders should audit the use of scripts, particularly PowerShell, and inspect logs to identify anomalies. This will aid identification of Mimikatz or pass-the-hash abuse, as well as providing some mitigation against attempts to bypass detection software.

Date modified: