Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

ID: S0002
Type: TOOL
Contributors: Vincent Le Toux

Platforms: Windows

Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1098Account ManipulationThe Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value.[2][3]
EnterpriseT1003Credential DumpingMimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA, SAM table, credential vault, DCSync/NetSync, and DPAPI.[1][4][5][6]
EnterpriseT1081Credentials in FilesMimikatz's DPAPI module can harvest protected credentials stored and/or cached by browsers and other user applications by interacting with Windows cryptographic application programming interface (API) functions.[2][5]
EnterpriseT1207DCShadowMimikatz’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.[1][2]
EnterpriseT1075Pass the HashMimikatz's SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands.[2][6]
EnterpriseT1097Pass the TicketMimikatz’s LSADUMP::DCSync, KERBEROS::Golden, and KERBEROS::PTT modules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets.[2][7][8][6]
EnterpriseT1145Private KeysMimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[2]
EnterpriseT1101Security Support ProviderThe Mimikatz credential dumper contains an implementation of an SSP.[1]
EnterpriseT1178SID-History InjectionMimikatz's MISC::AddSid module can appended any SID or user/group account to a user's SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.[2][7]

Groups

Groups that use this software:

APT1
APT28
APT29
APT32
APT33
APT38
APT39
BRONZE BUTLER
Carbanak
Cleaver
Cobalt Group
DarkHydrus
Ke3chang
Lazarus Group
Leafminer
Magic Hound
menuPass
MuddyWater
OilRig
PittyTiger
Stolen Pencil
TEMP.Veles
Threat Group-3390
Thrip
Turla

References