Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .005 | Access Token Manipulation: SID-History Injection |
Mimikatz's |
Enterprise | T1098 | Account Manipulation |
The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The |
|
Enterprise | T1547 | .005 | Boot or Logon Autostart Execution: Security Support Provider |
The Mimikatz credential dumper contains an implementation of an SSP.[1] |
Enterprise | T1555 | Credentials from Password Stores |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[1][5][6][7][8] |
|
.003 | Credentials from Web Browsers |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.[1][5][6][7] |
||
.004 | Windows Credential Manager |
Mimikatz contains functionality to acquire credentials from the Windows Credential Manager.[9] |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory.[1][5][6][7] |
.002 | OS Credential Dumping: Security Account Manager |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the SAM table.[1][5][6][7] |
||
.004 | OS Credential Dumping: LSA Secrets |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA.[1][5][6][7] |
||
.006 | OS Credential Dumping: DCSync |
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DCSync/NetSync.[1][5][6][7][8] |
||
Enterprise | T1207 | Rogue Domain Controller |
Mimikatz’s |
|
Enterprise | T1649 | Steal or Forge Authentication Certificates |
Mimikatz's |
|
Enterprise | T1558 | .001 | Steal or Forge Kerberos Tickets: Golden Ticket |
Mimikatz's kerberos module can create golden tickets.[10][8] |
.002 | Steal or Forge Kerberos Tickets: Silver Ticket | |||
Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Mimikatz's |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Mimikatz's |
.003 | Use Alternate Authentication Material: Pass the Ticket |
Mimikatz’s |
ID | Name | References |
---|---|---|
G0050 | APT32 | |
G0016 | APT29 | |
G1006 | Earth Lusca | |
G0046 | FIN7 | |
G0079 | DarkHydrus | |
G0092 | TA505 | |
G0060 | BRONZE BUTLER | |
G0034 | Sandworm Team | |
G0064 | APT33 | |
G1024 | Akira | |
G0131 | Tonto Team | |
G0087 | APT39 | |
G0108 | Blue Mockingbird | |
G0080 | Cobalt Group | |
G0027 | Threat Group-3390 |
Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz.[41][42][43][44][45] |
G0004 | Ke3chang | |
G0045 | menuPass | |
G1023 | APT5 | |
G0088 | TEMP.Veles | |
G0007 | APT28 | |
G0006 | APT1 | |
G1016 | FIN13 | |
G0059 | Magic Hound | |
G1015 | Scattered Spider |
Scattered Spider has gathered credentials using Mimikatz.[57][58] |
G0076 | Thrip | |
G1004 | LAPSUS$ | |
G1017 | Volt Typhoon | |
G0135 | BackdoorDiplomacy | |
G0119 | Indrik Spider | |
G0093 | GALLIUM | |
G0069 | MuddyWater | |
G0077 | Leafminer | |
G0096 | APT41 | |
G0003 | Cleaver | |
G0082 | APT38 | |
G0010 | Turla | |
G0114 | Chimera | |
G0102 | Wizard Spider | |
G0008 | Carbanak | |
G0011 | PittyTiger | |
G1001 | HEXANE | |
G0035 | Dragonfly | |
G0049 | OilRig | |
G0094 | Kimsuky | |
G0037 | FIN6 | |
G0107 | Whitefly |
ID | Name | Description |
---|---|---|
C0017 | C0017 |
During C0017, APT41 used Mimikatz to execute the |
C0018 | C0018 | |
C0032 | C0032 | |
C0014 | Operation Wocao |
During Operation Wocao, threat actors used Mimikatz with the |
C0024 | SolarWinds Compromise | |
C0030 | Triton Safety Instrumented System Attack |