Mimikatz

Mimikatz is an open source Windows utility available for download from GitHub. It is used for plaintext credentials and Private Keys dumping and acts asa post-exploitation tool for lateral movement within a network by both defenders and threat actors.

Mimikatz is widely used by penetration testers and red teams for testing enterprises' network security, but also by various threat actors and groups after gaining initial access to an organization. The tool is part of the most infamous post-exploitation frameworks like Metasploit Meterpreter and part of the arsenal of many threat groups around the world.

Mimikatz can map the certificates on the victim machine, both Digital Certificates and Code Signing Certs

Mimikatz's CRYPTO::Extract module can extract Private Keys from installed certificates by interacting with Windows cryptographic application programming interface (API) functions. It will use certutil to recover Private Keys of each certificate that resides on the server side, export it as a PFX file with a mimikatz password and download it from the target system.[1][2][3]

Techniques Used

Domain ID Name Use
Enterprise VT0011 Account Manipulation

The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value.[4][5]

Enterprise VT0021 Credentials from Password Stores

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[6][7][8][9]

.003 Credentials from Web Browsers

Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.[6][7][8][9]

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[4]

Threat actors That Use This Tools

ID Name References
VG0008 APT20

APT20 uses Mimikatz to extract keys and credentials from victim machines to preform lateral movement

References

Attachments

ID
VS0004
Type
TOOL
Platforms
Windows
Version
1.2

Created: 03 May 2021

Last Modified: 03 May 2021