Credential Dumping ToolHIGH

Mimikatz - Comprehensive Threat Intelligence Report

Evolution, Capabilities, and Threat Analysis of the Mimikatz Credential Stealer

Executive Summary

Mimikatz is a credential-dumping tool capable of obtaining plaintext Windows account passwords and hashes by accessing credentials in memory (specifically the LSASS process) . Originally developed as a legitimate security utility, it has been co-opted by threat actors in recent years to facilitate illicit activities and has prompted organizations worldwide to re-evaluate their defenses . Mimikatz’s source code is publicly available and actively maintained, allowing adversaries to create custom variants or integrate its functionality into frameworks (e.g., PowerShell Empire) . This widespread availability and continuous evolution have led to its use by both cybercriminal groups and state-sponsored hackers for post-compromise credential theft, privilege escalation, and lateral movement within victim networks .

Key Findings

  • Mimikatz can retrieve clear-text credentials and password hashes from a compromised Windows system’s memory (LSASS), providing attackers with authentication data that can be reused for further intrusion (e.g., pass-the-hash attacks) .
  • The tool is typically deployed after initial access to deepen compromise; it has been widely used by diverse adversaries—from organized cybercriminal groups to nation-state APT actors—to elevate privileges and move laterally across networks .
  • Mimikatz’s open-source codebase and ongoing development enable attackers to customize or execute it in-memory (for example, via the Invoke-Mimikatz PowerShell script) to avoid antivirus detection, making it a continually adaptable threat .
  • Mimikatz has been involved in high-profile cyber incidents; for instance, it was leveraged in the 2017 NotPetya and BadRabbit ransomware outbreaks to steal admin credentials, which allowed the malware to rapidly propagate and encrypt systems enterprise-wide . In a 2011 breach of the DigiNotar certificate authority, attackers used Mimikatz to obtain admin credentials, contributing to a loss of trust that led to the company’s collapse .
  • Despite improvements in Windows security (e.g., disabling storing of plaintext passwords and features like Credential Guard), Mimikatz remains prevalent. As of 2024, it ranked among the top five most common threats detected in networks, underscoring that many organizations are still regularly encountering Mimikatz during intrusions .

Threat Actors

Chinese state-sponsored cyber espionage group with both espionage and cybercrime operations. APT41 has been observed using Mimikatz in campaigns against healthcare, technology, and gaming sectors.

Capabilities:

  • Dual espionage and cybercrime operations
  • Use of commodity tools like Mimikatz
  • Targeting of healthcare and technology sectors
  • Global operations

Evidence Sources:

  • FireEye threat research
  • Microsoft threat intelligence
  • Security vendor reports

Targeting Patterns

Geographic Focus

  • Albania
  • Asia
  • Canada
  • China
  • Europe
  • Iran
  • Japan
  • Middle East
  • North America
  • North Korea
  • Russia

Target Sectors

  • Defense
  • Defense Contractors
  • Education
  • Energy
  • Energy and Utilities
  • Finance
  • Government
  • Healthcare
  • Hospitality
  • Manufacturing
  • Military
  • Retail
  • Technology
  • Telecom
  • Transportation
  • Utilities

Victim Types

  • Primarily organizations. Mimikatz-based attacks predominantly target institutional victims – government networks and businesses – rather than individual home users . Common victim types include government ministries and agencies, large enterprises across various industries, and critical infrastructure operators (e.g., energy companies) . Cybercriminal campaigns (like ransomware) have also impacted hospitals, schools, and municipal systems, indicating that any organization with valuable data or ability to pay a ransom can be a target.

Indicators of Compromise

All Indicators

17 of 17 indicators
TypeIndicator
File HashMD5: A877BC9B79DDC0047240F8EC254819EC
File HashSHA-256: 0c79c5147e4ff87b8b655873c328b10976a68e7226089c1a7ab09a6b74038b13
File HashVarious PowerShell script variants
File HashCustom compiled versions
File HashInvoke-Mimikatz.ps1 variants
DomainDigitalOcean infrastructure
DomainAzure cloud servers
DomainChinese hosting providers
IP Address165.232.x.x:80
IP Address124.71.207.28:80
IP Address52.151.88.215:8000
Registry KeysHKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential (set to 1 enables WDigest cleartext creds, linked to Mimikatz usage)
Registry KeysHKLM\SYSTEM\CurrentControlSet\Services\mimidrv (created when Mimikatz kernel driver is installed)
File Paths(presence of this binary on a system is an IoC)
File Paths(Mimikatz driver file dropped for kernel credential dumping)
File PathsC:\Windows\System32\ and C:\Windows\System32\ (credential dump output files created by Mimikatz)
Mutex NamesNo known fixed mutex names (Mimikatz does not use static mutexes in its operations)

MITRE ATT&CK Mapping

initial access

2
T1566.001
Spearphishing Attachment
T1190
Exploit Public-Facing Application

execution

2
T1059.001
Command and Scripting Interpreter
T1047
Windows Management Instrumentation

persistence

2
T1547.005
Boot or Logon Autostart
T1098
Account Manipulation

defense evasion

3
T1134.005
Access Token Manipulation
T1055
Process Injection
T1027
Obfuscated Files or Information

discovery

1
T1018
Remote System Discovery

collection

4
T1003.001
OS Credential Dumping
T1003.002
OS Credential Dumping
T1003.004
OS Credential Dumping
T1003.006
OS Credential Dumping

command and control

1
N/A - Mimikatz is a local tool

exfiltration

1
T1041
Exfiltration Over C2 Channel

Command & Control Infrastructure

Characteristics

Geographic Distribution

Known Mimikatz C2 infrastructure has been geographically diverse. The DigitalOcean-hosted server was likely in a North American or European data center, while another identified host (124.71.207[.]28) resided in Asia (China) . The Azure-based IP (52.151.88[.]215) suggests usage of cloud regions in the United States or Europe . One analyzed campaign primarily targeted victims in Japan (with some in the US, Canada, Europe, etc.), hinting at regional focus or availability of vulnerable targets there . Industry reports also note that many C2 servers are hosted in China and other countries, with Chinese cloud providers becoming prevalent for malware infrastructure .

Hosting Providers

  • Threat actors leveraging Mimikatz often utilize popular hosting providers and cloud services. In one case
  • the attacker's C2 was hosted on DigitalOcean's cloud platform . Another instance likely involved a Chinese cloud service (given the IP in a Chinese ISP range) . The use of a Microsoft Azure IP for hosting Mimikatz scripts demonstrates that major cloud providers (Azure
  • AWS
  • Alibaba/Tencent Cloud
  • etc.) are exploited for C2 operations . Reports have highlighted that large hosting companies – including those in China (e.g.
  • Tencent) – account for a significant share of observed C2 servers
  • as adversaries abuse reliable cloud infrastructure to blend in with legitimate traffic.

Identified Servers

  • Hundreds of Mimikatz-related C2 servers globally
  • Diverse hosting providers and geographic distribution

Mitigations

Detection Rules

  • Monitor for LSASS memory access
  • Deploy memory forensics capabilities
  • Monitor for credential dumping activities
  • Implement Windows Credential Guard
  • Deploy Yara rules for known Mimikatz indicators

Prevention Strategies

  • Implement Windows Credential Guard
  • Disable WDigest authentication caching
  • Enable LSA protection
  • Implement strict privilege management
  • Deploy advanced endpoint detection

Remediation Steps

  • Immediate credential rotation
  • Comprehensive incident response procedures
  • Forensic analysis of affected systems
  • Communication with law enforcement
  • Implementation of additional monitoring

Impact Assessment

Estimated Impact

Financial Impact

Billions in damages and recovery costs

Operational Impact

Extended downtime and business disruption

Notable Incidents

2011-07-01

DigiNotar certificate authority breach using Mimikatz

Affected Entities
  • Certificate authority
  • Government agencies

2017-06-27

NotPetya ransomware attack using Mimikatz credential theft

Affected Entities
  • Global corporations
  • Critical infrastructure

References

1. The Secrets to MIMIKATZ - The Credential Dumper (2022)

By International Journal for Electronic Crime Investigation

https://doi.org/10.54692/ijeci.2022.0504142

2. Mimikatz - Threat Detection Report (2024)

By Red Canary

https://redcanary.com/threat-detection-report/threats/mimikatz/

3. Ransomware Attack Techniques (2022)

By Symantec Threat Intelligence

https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-hive-conti-avoslocker

4. Alert AA18-284A - Publicly Available Tools Used in Cyber Incidents (2018)

By CISA (US-CERT)

https://www.cisa.gov/ncas/alerts/AA18-284A

5. Mimikatz (S0002) Tool Entry

By MITRE ATT&CK Database

https://attack.mitre.org/software/S0002/

Conclusion

Mimikatz is a post-exploitation tool specializing in credential extraction from Windows systems. It is capable of obtaining plaintext account passwords and hashes from memory , as well as extracting digital certificates and Kerberos authentication material. Its capabilities include advanced techniques like pass-the-hash, pass-the-ticket, and even forging Kerberos Golden Tickets , allowing attackers to impersonate users and persist within a domain environment. Malicious actors typically deploy Mimikatz after gaining administrative access to a Windows host, using it to harvest credentials of logged-in users (including privileged accounts) . The tool’s source code is openly available , enabling adversaries to compile custom variants or integrate Mimikatz into frameworks like PowerShell Empire and Metasploit – or execute it filelessly via Cobalt Strike – to evade detection. These capabilities make Mimikatz a versatile and powerful component of many cyber attacks, facilitating credential theft and lateral movement.

Technical Insights

  • Mimikatz is a powerful credential dumping tool with extensive capabilities
  • Local execution with optional RPC server mode
  • Advanced evasion techniques including fileless execution
  • Widespread adoption by both nation-state APTs and cybercriminal groups
  • Source code availability has led to numerous variants and integrations