Mimikatz is a powerful tool when the Windows system is attacked or defended. Here's what you need to know to be well informed. Mimikatz - Definition: Mimikatz is a leading post-exploit tool that copies passwords from memory and also from hashes, PINs and Kerberos coupons. Other useful attacks he enables are pass-the-hash, pass-the-ticket or Golden Kerberos coupons. This makes it easier for attackers to post-exploit lateral movement within the network. Mimikatz, who describes the author as just "a small Windows security gaming tool," is an incredibly effective offensive security tool developed by Benjamin Delpy. It is used by both penetration testers and malware authors. NotPetya destructive malware from 2017 combined EternalBlue along with Mimikatz to achieve maximum damage.
It was originally conceived by Delpy as a research project to better understand Windows security. Mimikatz also contains a module that copies Minesweeper from memory and tells you where mines are located. Mimikatz is not difficult to use, and Mimikatz v1 comes as a meterpreter script within Metasploit. Currently, the new Mimikatz v2 upgrade has not yet been integrated into Metasploit. The name "mimikatz" is derived from the French slang "mimi" meaning sweet, hence "sweet cats". (Delpy is French and he blogs about Mimikatz in his native language.)
How does Mimikatz work?
Mimikatz uses Windows Single Sign-On (SSO) functionality to take credentials. Until Windows 10, Windows used the WDigest function by default, which loads encrypted passwords into memory but also loads a secret key to decrypt them. WDigest has been a useful feature for authenticating a large number of users in an enterprise or government network, but it also allows Mimikatz to take advantage of this feature by copying memory and retrieving passwords. In 2013, Microsoft enabled this feature to be disabled since Windows 8.1 and disabled by default in Windows 10. However, Windows still ships with WDigest, so an attacker who gains administrative privileges can simply turn it on and launch Mimikatz. Worse, so many old machines around the world are running older versions of Windows that Mimikatz is still incredibly powerful and will probably stay that way for years.
History of Mimikatz
Delpy discovered WDigest's lack of Windows authentication in 2011, but Microsoft refused to listen when it reported the vulnerability to them. In response, he created Mimikatz - written in C - and offered executable code online, where he quickly gained popularity with security researchers, not to mention unwanted worldwide attention, which eventually resulted in the release of GitHub source code. Mimikatz began to be used almost immediately by invaders against state institutions, the first known case being the hacking of DigiNotar, now a deceased Dutch certification body, which went bankrupt because of that intrusion. The attackers issued false certificates to Google and used them to spy on Gmail accounts of several hundred thousand Iranian users.
This security tool was subsequently used by malware authors to automate the spread of their worms, including the aforementioned NotPety attack and the 2017 attack by BadRabbit ransomware. Mimikatz is likely to remain an effective offensive security tool on Windows platforms for many years to come.
How to defend yourself against Mimikatz
It is not easy to defend yourself against attackers using Mimikatz post-exploitation. Since the attacker has to have root access on Windows to use Mimikatz, everything is already done somehow. The defense is therefore limited to limiting damage and destruction. However, reducing the risk of attackers with administrator privileges to access credentials in memory using Mimikatz is possible and well worth the effort. It is much worth restricting admin privileges to only users who really need it. Upgrading to Windows 10 or 8.1 is at least a start and mitigates the risk of an attacker using Mimikatz against you, but in many cases, this is not possible. Another proven risk mitigation strategy is strengthening the Local Security Authority (LSA) to prevent code injection.
Turning off debugging privileges (SeDebugPrivilege) can also help somewhat since Mimikatz uses built-in debugging tools to copy memory. Manually disabling WDigest on older, unpatched versions of Windows can slow an attacker by, oh, a minute or two - but it's still worth it. Unfortunately, it is common practice to use the same administrative password multiple times throughout the enterprise. Make sure that each Windows has its own unique administrator password. Finally, if you use LSASS in protected mode on Windows 8.1 and higher, Mimikatz will be disabled. Even discovering that Mimikatz is located and used in the enterprise network is not a cure-all, because current automated detection solutions do not have a high success rate. The best defense is probably a good attack: test your systems regularly with Mimikatz and keep really active live monitoring on your network.