Active Directory · Term

What is Mimikatz?

Mimikatz is the best-known tool for extracting passwords, hashes, and Kerberos tickets from Windows. It is used by attackers and by penetration testers to prove what a foothold exposes. Here is what Mimikatz does and how to defend against it.

Active Directory · TermAll services
TL;DR

Mimikatz is an open-source Windows post-exploitation tool, written by Benjamin Delpy, that extracts credentials from a compromised machine: NTLM hashes and plaintext passwords from LSASS memory, Kerberos tickets, and domain hashes via DCSync. It also forges Kerberos tickets (Golden and Silver). It needs local administrator rights to read LSASS, and it is the reference implementation for most Active Directory credential attacks. Defenders use the same tool to test exposure.

By John Dill, Red Team Lead, SecureLayer7Updated

What Mimikatz is

Mimikatz is a credential tool that turned several Windows internals into one-line attacks. Its main modules:

  • sekurlsa: reads credentials from LSASS memory (hashes, tickets, sometimes plaintext).
  • lsadump: dumps secrets including DCSync against a Domain Controller.
  • kerberos: forges and injects tickets, including Golden and Silver tickets.

It is widely used because it is reliable and well-documented. The same capabilities that make it an attacker favourite make it a standard tool in an authorised penetration test.

What it does and payload

The common Mimikatz commands map directly to AD attacks:

  • Harvest credentials from memory: sekurlsa::logonpasswords
  • Steal the KRBTGT hash via replication: lsadump::dcsync /user:krbtgt
  • Forge a Golden Ticket: kerberos::golden /user:Administrator /sid:<SID> /krbtgt:<hash> /ptt

Reading LSASS requires local administrator or SYSTEM rights, which is why the first foothold and any local escalation matter. Shown here for defensive context.

How to defend

  • Enable Credential Guard to isolate LSASS secrets from tools like Mimikatz.
  • Use the Protected Users group and LSASS protection (RunAsPPL).
  • Keep Domain Admins off ordinary machines so their credentials are never cached where Mimikatz runs.
  • Deploy LAPS so a harvested local-admin hash does not unlock other machines.
  • Detect processes opening a handle to lsass.exe and abnormal Kerberos ticket activity.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Kerberos Authentication Overview(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.