Home Malware Programs Malware Mimikatz


Posted: April 12, 2019

Mimikatz is a hacking tool that collects passwords and gives threat actors options for maintaining persistence on the system, such as escalating privileges up to admin. This Windows threat is seen on its own rarely but is deployable as a downloadable plugin and other methods that circumvent any preexisting anti-malware protection beforehand. Victims should turn off their network connections, have anti-malware products delete Mimikatz and all threats associated with it and re-secure all accounts and login credentials afterward immediately.

The Tool Holding the Door Open for Its Trojan Friends

Proof-of-concept and 'demonstrative' Trojans are a threatening area for even the most well-meaning of security researchers to be dabbling in, with the regular hijacking of them for hostile purposes. Utku Sen's Hidden Tear is one such case of software's recycling for crime instead of education, but Mimikatz, debatably, has an impact on the hacking scene with even more depth. Instead of delivering high-specificity attacks, Mimikatz gives an attacker access to credentials and account privileges for infecting new systems or improving infection persistence on already-infected ones.

Mimikatz is a Windows-only utility whose development in 2011 by Benjamin Delpy was, supposedly, only for demonstrating vulnerabilities for Microsoft's correction. However, since the code is available for free, threat actors are using it for a range of criminal activities that include both famously broad and niche, small-scale attacks against Windows environments. Since most security solutions would identify Mimikatz in its native format immediately, its inclusion is the first stage in an infection rarely, but, rather, part of a deeper payload that loads after the compromise of a computer and the disabling of its security solutions.

Modern builds of Mimikatz, after the verification of malware analysts, continue including multiple means of snatching credentials and positioning threat actors for misusing them through techniques such as:

  • Mimikatz may issue a command that forces Windows to output the passwords of all currently logged-in user accounts, as well as recently logged-in ones. A secondary method of collecting passwords involves domain controller impersonation, which tricks the Active Directory service into providing the credentials.
  • Mimikatz can use different techniques for giving the threat actor admin privileges, which assist with working around security solutions and file system access restrictions. It demonstrates this feature thoroughly with several 'pass-the-ticket' attacks that exploit weaknesses in Windows' default Kerberos authentication.
  • A minority of Mimikatz's features involve aggressive persistence functions like injecting corrupted code into the memory processes of other programs, disabling some security-related services, and exporting certificates for the threat actor's future misuse.

What Password Theft Evolves into When You Ignore It

Almost by definition, Mimikatz is alone in its attacks rarely since its entire purpose is for compromising credentials that give threat actors more access to your network and PC than they previously had. Although nearly all of Mimikatz's features are Windows-specific, it does have a 'pass-the-cache' feature that also affects Linux and Mac environments with the potential for login breaches. Since malware experts rate Windows 10 as being less vulnerable, if not impervious, to Mimikatz's payload, users with the willingness to upgrade their OS can protect their PCs that way.

Cases of Mimikatz assisting with hacking operations include the campaigns of file-locking Trojans like the LockerGoga Ransomware and the DBGer Ransomware that block media for ransom, along with cryptocurrency-mining Trojans that can destroy hardware. Some actions, such as limiting admin privileges, installing security patches that get rid of old vulnerabilities, and avoiding passwords that are easily brute-forcible, will provide further protection from any attacks. Suspected as compromised PCs should be disconnected from all networks and have anti-malware products scan them for removing Mimikatz and other Trojans immediately.

Mimikatz is to Trojan attacks what a sidearm is to open warfare: a fundamental tool that provides support after the main artillery does its damage. The only differentiation is that, instead of taking lives, it takes passwords, with potentially just as threatening results.