Mimikatz
Mimikatz is a widely used open-source Windows post-exploitation credential dumping tool created by Benjamin Delpy (gentilkiwi). It is used to obtain account and password material from systems for access to additional hosts and enterprise resources. High-confidence capabilities mentioned in the source content include dumping credentials from LSASS memory, the Windows Credential Vault, DPAPI-related material, SAM/SECURITY/SYSTEM hives, NTDS.dit, and performing DCSync/replication-based credential theft. The content also documents Mimikatz functionality for DPAPI/CryptoAPI and EFS key recovery, including recovery of certificates, private keys, and master keys to decrypt EFS-protected files.
The malware/tool is repeatedly described as one of the most popular credential-dumping utilities used by threat actors across many intrusion types, including ransomware operations and state-linked campaigns. Referenced use cases include ransomware actors using Mimikatz to obtain unsecured credentials and gain domain administrator access, common ransomware chains pairing Mimikatz with PsExec for lateral movement, use during the 2017 Petya/ExPetr outbreak to gather credentials for WMIC-based propagation, Qakbot-linked intrusions that progressed to Cobalt Strike, fileless .NET Mimikatz, and ransomware, and Microsoft reporting MERCURY/Mango Sandstorm (assessed affiliated with Iran’s MOIS) using Mimikatz after exploiting SysAid/Log4Shell-related vulnerabilities. The content also lists Mimikatz alongside common offensive tooling such as Cobalt Strike, Meterpreter, Metasploit, and BloodHound.
Targeted environments are Windows systems and Active Directory domains. The content specifically associates Mimikatz with credential access against LSASS, domain controllers, registry hives, and AD replication paths. Detection-relevant details directly mentioned include command-line references to "mimikatz", binaries named mimikatz.exe or trust.exe, Microsoft Defender detection as HackTool:Win32/LSADump, and driver/service artifacts related to mimidrv. The source also notes Mimikatz binaries observed in VirusTotal samples carrying AI API keys, and provides examples of repository activity such as lsadump::postzerologon functionality. Overall, the content consistently characterizes Mimikatz as a dual-use but heavily abused credential access tool central to post-compromise privilege escalation and lateral movement in Windows enterprise intrusions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
13 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Latest commit gentilkiwi [new] mimikatz lsadump::postzerologon, to reinit DC password both in …
Kaspersky researchers revealed ... the attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability ... The FBI and CISA warned ... APT actors scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379 exploits ... Fortinet also warned customers to patch their appliances against the CVE-2018-13379 ... "CVE-2018-13379 is an old vulnerability resolved in May 2019"
Earth Longzhi reimplemented some modules of Mimikatz ... as standalone binaries. ... We call this technique "Bring-Your-Own Mimikatz."
Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving exploitation of CVE-2025-59718 against a vulnerable FortiGate appliance. In December 2025, Fortinet disclosed this improper verification of cryptographic signature vulnerability that facilitates an SSO login bypass on affected appliances.
Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA) ... malicious activity ... consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials.
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..."
"...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
"...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 ... Security firm Volexity spotted hackers targeting Exchange servers on Jan. 3, when it saw CVE-2021-26855 being exploited.
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..."
Attackers combine this with credential theft (Mimikatz/Pypykatz), lateral movement (Cobalt Strike, SystemBC), and backup destruction to maximize impact and enable double-extortion.
This analytic story covers attacks exploiting CVE-2024-4577, a remote code execution (RCE) vulnerability in the PHP-CGI implementation on Windows. Attackers leverage this vulnerability to gain initial access, deploy Cobalt Strike using the "TaoWu" kit for post-exploitation activities, and establish persistence.
Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.
"...a threat actor exploited the CVE-2022-40684 vulnerability to bypass authentication on the organization’s Fortinet VPN and gain initial access. Using various Windows tools and services, including smbexec.py from the Impacket toolkit, the attacker executed commands and moved laterally across the network."
Groups observed using it
43 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Tools: SpicyOmelette, Cobalt Strike, Meterpreter, Mimikatz, CobtInt, ATMSpitter, Carbanak, Buhtrap, Cyst, Metasploit.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
Microsoft’s profile of the group noted the execution of Mimikatz “specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials.”
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.
The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.
After establishing a foothold on the network, Scattered Spider uses a range of publicly available software tools for reconnaissance and lateral movement, including: ... Mimikatz : Credential extraction ...
Before that, however, antivirus on HSE endpoints detected both Cobalt Strike and Mimikatz being deployed on the so-called Patient Zero workstation.
The timeline, which was seemingly produced by security investigators at Mandiant or based on data gathered by the firm, shows that the Lapsus$ group was able to use extremely well known and widely available hacking tools, like the password-grabbing tool Mimikatz, to rampage through Sitel's systems.
Mimikatz (Hacktool.Mimikatz): Tool designed to steal credentials
To laterally move within the target network, Mimikatz was used to dump passwords.
Le MOA a employé trois codes afin de tenter de récupérer des données d’authentification : AccountRestore, SharpRoast et Mimikatz.
Earth Longzhi reimplemented some modules of Mimikatz ... as standalone binaries. ... We call this technique "Bring-Your-Own Mimikatz."
After compromising systems, UAT-7237 deploys custom and open-source tools to maintain access and steal data. Their custom loader, SoundBill, decodes and executes shellcode from files like ptiti.txt, running payloads ranging from Mimikatz to Cobalt Strike for credential theft and long-term access.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Due to mistakes on the attacker’s side, we managed to retrieve multiple files from Earth Krahang’s servers, including samples, configuration files, and log files from its attack tools.
Initial Access
1 techniqueТипичная цепочка: Exploit Public-Facing Application (T1190) или фишинг, затем Mimikatz + PsExec для lateral movement, шифрование.
Execution
4 techniquesTested variants: Original compiled into PowerShell (Invoke-Mimikatz) (Detected) PowerSploit – Invoke-Mimikatz (Detected)
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.
Многие RaaS-группы используют пересекающийся набор инструментов: Cobalt Strike (или аналоги) для C2, Mimikatz для credential dumping, PsExec для lateral movement.
Privilege Escalation
2 techniquesSince mimikatz requires PROCESS_CREATE_THREAD in its OpenProcess() call for /inject... Mimikatz executes followin steps to inject into lsass: take the allocated memory, in which the code for the remote thread resides... replace them with the real address... run the thread and exploit! | Inject essentially starts a thread in the context of lsass.exe (SamSs-Service) and dumps the requested credentials from within this thread.
Latest commit gentilkiwi [new] mimikatz lsadump::postzerologon, to reinit DC password both in …
Stealth
2 techniquesSince mimikatz requires PROCESS_CREATE_THREAD in its OpenProcess() call for /inject... Mimikatz executes followin steps to inject into lsass: take the allocated memory, in which the code for the remote thread resides... replace them with the real address... run the thread and exploit! | Inject essentially starts a thread in the context of lsass.exe (SamSs-Service) and dumps the requested credentials from within this thread.
Defense Impairment
2 techniquesFor every new process, we get a structure ... containing its command line... After analyzing the process info, we can set CreationStatus... STATUS_ACCESS_DENIED: This looks suspicious. Block the process from ever starting.
Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. | According to samples uploaded to the VirusTotal malware scanning service, the stolen certificates were used to sign various malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans.
Credential Access
6 techniquesgogokatz – An internal (for now) Go port of mimikatz ... This lets us try to execute full LSASS memory dumps without special privileges beyond what the real mimikatz needs.
gogokatz – An internal (for now) Go port of mimikatz ... This lets us try to execute full LSASS memory dumps without special privileges beyond what the real mimikatz needs.
«Основной метод: IDL_DRSGetNCChanges ... И среди этих атрибутов могут быть хэши паролей ... И если ты можешь запросить репликацию, ты можешь получить эти атрибуты.» | «DCSync - это техника, при которой атакующий, имея права на репликацию, имитирует поведение контроллера домена и запрашивает у легитимного DC хэши паролей пользователей через протокол DRSUAPI»
Developers routinely hardcode credentials directly into apps, config files, and scripts. These credentials can be found in GitHub in open-source projects, while closed-source projects contain the credentials in the app itself.
The browser command will search for users password and cookies in chrome based browsers, and decrypt them... [MSEDGE LOGIN DATA] Username: admin Password: Password!123
we will abuse Kerberos GSS-API to ask for a ticket for a service, but not any service – a service that has been configured for unconstrained delegation! | there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos.
Discovery
1 techniqueWindows Defender places malicious files in quarantine upon detection... The Windows Defender quarantine folder is valuable from the perspective of digital forensics and incident response (DFIR).
Lateral Movement
3 techniquesLatest commit gentilkiwi [new] mimikatz lsadump::postzerologon, to reinit DC password both in …
Pass the PRT – A primary refresh token (PRT) can be passed the same way NTM hashes can be passed to authenticate from system to system... Pass the PRT – An attained PRT allows an attacker to perform pass-the-PRT... It allows an attacker lateral movement.
"SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket."
IOCs tracked for this family
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-dumping tool observed in samples carrying AI API keys; discussed as part of malware artifacts found in VirusTotal.
Credential theft and dumping tool used after initial access to facilitate lateral movement and follow-on attack stages.
A well-known post-exploitation tool commonly detected by security products; referenced here as an example of offensive tooling that becomes heavily signatured.
Mimikatz is used to extract credentials from memory during the pre-encryption stages of ransomware intrusions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.