|Contributors||Vincent Le Toux|
- Credential Dumping - Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA, SAM table, credential vault, DCSync/NetSync, and DPAPI.134
- Account Manipulation - The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality.5 The
LSADUMP::SetNTLMmodules can also manipulate the password hash of an account without knowing the clear text value.2
- SID-History Injection - Mimikatz's
MISC::AddSidmodule can appended any SID or user/group account to a user's SID-History.2 Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.62
- Pass the Ticket - Mimikatz’s
KERBEROS::PTTmodules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets.276
- Private Keys - Mimikatz's
CRYPTO::Extractmodule can extract keys by interacting with Windows cryptographic application programming interface (API) functions.2
- Credentials in Files - Mimikatz's
DPAPImodule can harvest protected credentials stored and/or cached by browsers and other user applications by interacting with Windows cryptographic application programming interface (API) functions.24
- Pass the Hash - Mimikatz's
SEKURLSA::Pthmodule can impersonate a user, with only a password hash, to execute arbitrary commands.2
- DCShadow - Mimikatz’s
LSADUMP::DCShadowmodule can be used to make AD updates by temporarily setting a computer to be a DC.12
The following groups use this software:
- BRONZE BUTLER
- Threat Group-3390
- Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.
- Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.
- Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.
- Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.
- Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.
- Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.
- Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.