<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1703665079923990&amp;ev=PageView&amp;noscript=1">

Mimikatz: How cyber attackers harvest credentials post-exploitation

Mimikatz: How cyber attackers harvest credentials post-exploitation

Posted by TEAM ASCEND on 10/16/19 3:45 PM

<< Back to Blog

The bad guys got their hands on a powerful tool… and now they use it to get their hands on your passwords.

Criminals of all varieties have known the value of credentials throughout history. Credentials are essentially—in almost every venue for criminal activity— a key that criminals want to steal. ID badges, codes, passwords, and even identities serve as keys for entry into organizations, restricted areas, digital accounts, and more… and the bad guys have found that the best way to “break in” to anything is to simply use the key.

In cyberattacks, gathering or “harvesting” digital credentials and user information takes many forms, some of which include:

  • Phishing Scams

As you learned in the Cyberattack Roster [link], phishing campaigns can be designed to achieve a variety of goals, one of which is to collect credentials or valuable data.  A phishing campaign designed to harvest credentials may pose as an email from a trusted source—your bank, a retail website, or a common business tool—and inform you of an urgent reason to log into your account immediately. This type of phishing scam is usually partnered with the following method in order to be successful: spoofed login pages.


  • Spoofed Login Pages & Fake Websites

Often paired with a convincing phishing email designed to direct victims to the scam, a spoofed login page or a fake website is another way that the bad guys can harvest legitimate user credentials. A cyber criminal may set up a lookalike login page that looks and acts just like the actual login page for the app or website they are spoofing, like this Microsoft login page for example:

But here’s the trick—when the victim falls for the scam and enters their credentials, the attacker is on the other end collecting the information. After the victim has successfully handed over their credentials, the fake login site may give a “wrong password” message and then redirect the user back to the real website to log in, leaving the victim completely unaware that anything malicious has taken place.


  • Input Capture (Keylogging)

Another way attackers collect credentials is through the use of malicious input-capturing software or program (malware) called a “Keylogger.” If a bad guy has the opportunity to install malware on their victims’ machines, whether in-person or remotely via other attack vectors, they might utilize a keylogger to capture credentials.


  • Post-Exploitation Tools

Similar to the keylogger approach, an attacker with access to their victim’s machine might utilize malicious software or tools that harvest credentials in ways other than input-capture. One example of this type of tool is Mimikatz.


What is Mimikatz?

Mimikatz is a program that was designed for good, but like many hacker exploits, it became commonly used for evil.

It all started in 2011 with a man named Benjamin Delpy, a French programmer and IT manager by trade who discovered a security flaw in the inner workings of Windows operating systems and how they handle password data. He identified the vulnerability to Microsoft, but no immediate action was taken to secure it—Microsoft’s official statement on the vulnerability was simply that, for a hacker to exploit it, the system would have to already be compromised.

This is true—the vulnerability that Delpy discovered is one that can only be exploited in an advanced attack, where a cyber criminal has already gained access to their victim’s machine through other means. However, that doesn’t mean that the vulnerability wasn’t important to address. Delpy knew that in such situations where an attacker was able to exploit this security flaw, it could allow them to expand their access to other systems and compromise an entire network of computers, rather than just one individual machine.

With this in mind, Delpy created the Mimikatz program to demonstrate how easily the flaw could be exploited, how much damage it could create, and in turn, convince Microsoft to address the vulnerability in their operating systems’ designs.

Delpy made the information public so Microsoft and other security professionals could work toward a solution, but he kept the source code of his project closed. He knew the danger of the program he created, but he also understood that if he—a “good guy” in cybersecurity—wasn’t the one to address this flaw, then in time, it would surely have been discovered by a bad guy instead. Unfortunately, those same bad guys caught on to Mimikatz and began working hard to gain access to the source code, attempting to reverse-engineer, recreate, and even steal the code directly from Delpy. After a few too many run-ins with men in suits demanding he hand over the program, Delpy released Mimikatz publicly for his own safety.

And thus began the rise of one of the most damaging and widespread hacker tools in the last decade. Mimikatz has been used as a component in many high-profile cyberattacks, including NotPetya, BadRabbit, attacks on government networks, and more.


How does Mimikatz work?

Mimikatz is an executable program that an attacker (or penetration tester) installs on a machine and runs with administrative-level privileges. This is usually possible in an attack if the attacker has already gained access to the machine, evaded security defenses, and compromised a user’s account—allowing the attacker to execute malicious code and install malicious programs in the system.

The attacker can then use the Mimikatz tool to perform a number of attacks against the Windows authentication system within a machine or network. Mimikatz’s key feature is that it can access and “harvest” or “dump” lists of credentials used in the operating system. The tool can also exploit certain elements of Windows authentication that are meant to be security features, like NTLM hashes and Kerberos tickets.

With access to so many credentials and authentication mechanisms through Mimikatz, an attacker can easily compromise other accounts and even spread their attack to other computers without having to “break in” the hard way—they can simply use the key.


Credential harvesting in action

In the short video below, watch as Security Engineer Derrick demonstrates how easily a Mimikatz attack can be executed, and walks through a few methods to prevent and detect this type of attack in your organization.


Cybersecurity Game Plan


If an attacker has the chance to perform a Mimikatz attack in your network,  you want to be able to identify the signs and begin taking action as quickly as possible.

With the combination of active security monitoring and intelligent detection technology, a Mimikatz attack can be identified and the attacker’s actions can be investigated in real-time. Using Endpoint Detection & Response (EDR) to identify the unusual activity on the compromised endpoint and further investigation through network log collection using SIEM, security professionals can discover where an attack began, what accounts have been compromised, and create a game plan for your organization’s next steps to eradicate the threat and recover your systems.


Mimikatz can easily be stopped, however, before it’s even allowed to run.

As explained in the demonstration above, an effective anti-malware solution can detect and block the Mimikatz program from being installed or executed within your network.

As always, a layered security approach is recommended to protect against all types of attacks. If you can prevent an attacker from gaining access to your systems in the first place, then it’s much less likely that you will need to rely on AV or detection solutions to stop an attack.


New call-to-action



<< Back to Blog

Posted in Endpoint Security, Detection & Response, SOC-as-a-Service, Cyberattack Series