Mimikatz - Comprehensive Threat Intelligence Report
Evolution, Capabilities, and Threat Analysis of the Mimikatz Credential Stealer
Table of Contents
Executive Summary
Mimikatz is a credential-dumping tool capable of obtaining plaintext Windows account passwords and hashes by accessing credentials in memory (specifically the LSASS process) . Originally developed as a legitimate security utility, it has been co-opted by threat actors in recent years to facilitate illicit activities and has prompted organizations worldwide to re-evaluate their defenses . Mimikatz’s source code is publicly available and actively maintained, allowing adversaries to create custom variants or integrate its functionality into frameworks (e.g., PowerShell Empire) . This widespread availability and continuous evolution have led to its use by both cybercriminal groups and state-sponsored hackers for post-compromise credential theft, privilege escalation, and lateral movement within victim networks .
Key Findings
- Mimikatz can retrieve clear-text credentials and password hashes from a compromised Windows system’s memory (LSASS), providing attackers with authentication data that can be reused for further intrusion (e.g., pass-the-hash attacks) .
- The tool is typically deployed after initial access to deepen compromise; it has been widely used by diverse adversaries—from organized cybercriminal groups to nation-state APT actors—to elevate privileges and move laterally across networks .
- Mimikatz’s open-source codebase and ongoing development enable attackers to customize or execute it in-memory (for example, via the Invoke-Mimikatz PowerShell script) to avoid antivirus detection, making it a continually adaptable threat .
- Mimikatz has been involved in high-profile cyber incidents; for instance, it was leveraged in the 2017 NotPetya and BadRabbit ransomware outbreaks to steal admin credentials, which allowed the malware to rapidly propagate and encrypt systems enterprise-wide . In a 2011 breach of the DigiNotar certificate authority, attackers used Mimikatz to obtain admin credentials, contributing to a loss of trust that led to the company’s collapse .
- Despite improvements in Windows security (e.g., disabling storing of plaintext passwords and features like Credential Guard), Mimikatz remains prevalent. As of 2024, it ranked among the top five most common threats detected in networks, underscoring that many organizations are still regularly encountering Mimikatz during intrusions .
Threat Actors
Chinese state-sponsored cyber espionage group with both espionage and cybercrime operations. APT41 has been observed using Mimikatz in campaigns against healthcare, technology, and gaming sectors.
Capabilities:
- Dual espionage and cybercrime operations
- Use of commodity tools like Mimikatz
- Targeting of healthcare and technology sectors
- Global operations
Evidence Sources:
- FireEye threat research
- Microsoft threat intelligence
- Security vendor reports
Targeting Patterns
Geographic Focus
- Albania
- Asia
- Canada
- China
- Europe
- Iran
- Japan
- Middle East
- North America
- North Korea
- Russia
Target Sectors
- Defense
- Defense Contractors
- Education
- Energy
- Energy and Utilities
- Finance
- Government
- Healthcare
- Hospitality
- Manufacturing
- Military
- Retail
- Technology
- Telecom
- Transportation
- Utilities
Victim Types
- Primarily organizations. Mimikatz-based attacks predominantly target institutional victims – government networks and businesses – rather than individual home users . Common victim types include government ministries and agencies, large enterprises across various industries, and critical infrastructure operators (e.g., energy companies) . Cybercriminal campaigns (like ransomware) have also impacted hospitals, schools, and municipal systems, indicating that any organization with valuable data or ability to pay a ransom can be a target.
Indicators of Compromise
All Indicators
17 of 17 indicatorsType | Indicator |
---|---|
File Hash | MD5: A877BC9B79DDC0047240F8EC254819EC |
File Hash | SHA-256: 0c79c5147e4ff87b8b655873c328b10976a68e7226089c1a7ab09a6b74038b13 |
File Hash | Various PowerShell script variants |
File Hash | Custom compiled versions |
File Hash | Invoke-Mimikatz.ps1 variants |
Domain | DigitalOcean infrastructure |
Domain | Azure cloud servers |
Domain | Chinese hosting providers |
IP Address | 165.232.x.x:80 |
IP Address | 124.71.207.28:80 |
IP Address | 52.151.88.215:8000 |
Registry Keys | HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential (set to 1 enables WDigest cleartext creds, linked to Mimikatz usage) |
Registry Keys | HKLM\SYSTEM\CurrentControlSet\Services\mimidrv (created when Mimikatz kernel driver is installed) |
File Paths | (presence of this binary on a system is an IoC) |
File Paths | (Mimikatz driver file dropped for kernel credential dumping) |
File Paths | C:\Windows\System32\ and C:\Windows\System32\ (credential dump output files created by Mimikatz) |
Mutex Names | No known fixed mutex names (Mimikatz does not use static mutexes in its operations) |
MITRE ATT&CK Mapping
initial access
2execution
2persistence
2defense evasion
3discovery
1collection
4command and control
1exfiltration
1Command & Control Infrastructure
Characteristics
Geographic Distribution
Known Mimikatz C2 infrastructure has been geographically diverse. The DigitalOcean-hosted server was likely in a North American or European data center, while another identified host (124.71.207[.]28) resided in Asia (China) . The Azure-based IP (52.151.88[.]215) suggests usage of cloud regions in the United States or Europe . One analyzed campaign primarily targeted victims in Japan (with some in the US, Canada, Europe, etc.), hinting at regional focus or availability of vulnerable targets there . Industry reports also note that many C2 servers are hosted in China and other countries, with Chinese cloud providers becoming prevalent for malware infrastructure .
Hosting Providers
- Threat actors leveraging Mimikatz often utilize popular hosting providers and cloud services. In one case
- the attacker's C2 was hosted on DigitalOcean's cloud platform . Another instance likely involved a Chinese cloud service (given the IP in a Chinese ISP range) . The use of a Microsoft Azure IP for hosting Mimikatz scripts demonstrates that major cloud providers (Azure
- AWS
- Alibaba/Tencent Cloud
- etc.) are exploited for C2 operations . Reports have highlighted that large hosting companies – including those in China (e.g.
- Tencent) – account for a significant share of observed C2 servers
- as adversaries abuse reliable cloud infrastructure to blend in with legitimate traffic.
Identified Servers
- Hundreds of Mimikatz-related C2 servers globally
- Diverse hosting providers and geographic distribution
Mitigations
Detection Rules
- Monitor for LSASS memory access
- Deploy memory forensics capabilities
- Monitor for credential dumping activities
- Implement Windows Credential Guard
- Deploy Yara rules for known Mimikatz indicators
Prevention Strategies
- Implement Windows Credential Guard
- Disable WDigest authentication caching
- Enable LSA protection
- Implement strict privilege management
- Deploy advanced endpoint detection
Remediation Steps
- Immediate credential rotation
- Comprehensive incident response procedures
- Forensic analysis of affected systems
- Communication with law enforcement
- Implementation of additional monitoring
Impact Assessment
Estimated Impact
Financial Impact
Billions in damages and recovery costs
Operational Impact
Extended downtime and business disruption
Notable Incidents
2011-07-01
DigiNotar certificate authority breach using Mimikatz
Affected Entities
- Certificate authority
- Government agencies
2017-06-27
NotPetya ransomware attack using Mimikatz credential theft
Affected Entities
- Global corporations
- Critical infrastructure
References
1. The Secrets to MIMIKATZ - The Credential Dumper (2022)
By International Journal for Electronic Crime Investigation
2. Mimikatz - Threat Detection Report (2024)
By Red Canary
https://redcanary.com/threat-detection-report/threats/mimikatz/
3. Ransomware Attack Techniques (2022)
By Symantec Threat Intelligence
https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-hive-conti-avoslocker
4. Alert AA18-284A - Publicly Available Tools Used in Cyber Incidents (2018)
By CISA (US-CERT)
Conclusion
Mimikatz is a post-exploitation tool specializing in credential extraction from Windows systems. It is capable of obtaining plaintext account passwords and hashes from memory , as well as extracting digital certificates and Kerberos authentication material. Its capabilities include advanced techniques like pass-the-hash, pass-the-ticket, and even forging Kerberos Golden Tickets , allowing attackers to impersonate users and persist within a domain environment. Malicious actors typically deploy Mimikatz after gaining administrative access to a Windows host, using it to harvest credentials of logged-in users (including privileged accounts) . The tool’s source code is openly available , enabling adversaries to compile custom variants or integrate Mimikatz into frameworks like PowerShell Empire and Metasploit – or execute it filelessly via Cobalt Strike – to evade detection. These capabilities make Mimikatz a versatile and powerful component of many cyber attacks, facilitating credential theft and lateral movement.
Technical Insights
- Mimikatz is a powerful credential dumping tool with extensive capabilities
- Local execution with optional RPC server mode
- Advanced evasion techniques including fileless execution
- Widespread adoption by both nation-state APTs and cybercriminal groups
- Source code availability has led to numerous variants and integrations