Windows Credential Extraction - Post-Exploitation & Lateral Movement
Mimikatz is a post-exploitation tool that extracts plaintext passwords, hashes, PIN codes, and Kerberos tickets from Windows memory. Created by Benjamin Delpy, it's become essential for security testing and understanding Windows authentication weaknesses.
Mimikatz exploits Windows authentication protocols (NTLM, Kerberos) and credential caching mechanisms. It requires administrative privileges to access LSASS (Local Security Authority Subsystem Service) memory where credentials are stored.
Extract plaintext passwords and NTLM hashes from LSASS memory
Dump and manipulate Kerberos TGTs and service tickets
Create forged Kerberos TGTs for domain persistence
Forge service tickets for specific services
Authenticate using NTLM hash without knowing plaintext password
Import stolen Kerberos tickets for impersonation
Dumps all credentials from LSASS memory including passwords, hashes, and Kerberos keys.
Most common and powerful Mimikatz command
Creates Golden Tickets using the krbtgt account hash for complete domain control.
Requires krbtgt hash (Domain Admin access)
Pass-the-Hash attack - spawns process with hash authentication without cracking password.
Enables lateral movement with stolen hashes
Enable Windows Credential Guard (virtualization-based security) to protect LSASS
Enable LSA (RunAsPPL) to prevent non-protected processes from accessing LSASS memory
Use dedicated PAWs for administrative tasks, never browse internet or read email on admin systems
Implement tier 0/1/2 model, prevent credential caching on lower tiers
Disable WDigest authentication (stores plaintext passwords) on Windows systems
Alert on unusual LSASS access, process injection, or suspicious memory reads
LSASS Memory Access: Unusual processes reading LSASS.exe memory (PID typically 500-700)
Mimikatz Strings: File or memory contains strings like "sekurlsa", "kerberos::golden", "gentilkiwi"
Process Injection: CreateRemoteThread or similar injection techniques targeting LSASS
Event ID 4688: Process creation with suspicious command line (e.g., "privilege::debug")
Event ID 10: Sysmon logs showing OpenProcess on LSASS with suspicious source process
Understanding Mimikatz helps Blue Teams secure Windows environments and detect credential theft:
The interactive Mimikatz simulation lab is available on desktop devices. Switch to a larger screen to practice credential extraction techniques, understand Windows authentication attacks, and learn defensive countermeasures.
Mimikatz is a post-exploitation tool that extracts plaintext passwords, hashes, PIN codes, and Kerberos tickets from Windows memory. Created by Benjamin Delpy, it's become essential for security testing and understanding Windows authentication weaknesses.
Mimikatz exploits Windows authentication protocols (NTLM, Kerberos) and credential caching mechanisms. It requires administrative privileges to access LSASS (Local Security Authority Subsystem Service) memory where credentials are stored.
Extract plaintext passwords and NTLM hashes from LSASS memory
Dump and manipulate Kerberos TGTs and service tickets
Create forged Kerberos TGTs for domain persistence
Forge service tickets for specific services
Authenticate using NTLM hash without knowing plaintext password
Import stolen Kerberos tickets for impersonation
Dumps all credentials from LSASS memory including passwords, hashes, and Kerberos keys.
Most common and powerful Mimikatz command
Creates Golden Tickets using the krbtgt account hash for complete domain control.
Requires krbtgt hash (Domain Admin access)
Pass-the-Hash attack - spawns process with hash authentication without cracking password.
Enables lateral movement with stolen hashes
Enable Windows Credential Guard (virtualization-based security) to protect LSASS
Enable LSA (RunAsPPL) to prevent non-protected processes from accessing LSASS memory
Use dedicated PAWs for administrative tasks, never browse internet or read email on admin systems
Implement tier 0/1/2 model, prevent credential caching on lower tiers
Disable WDigest authentication (stores plaintext passwords) on Windows systems
Alert on unusual LSASS access, process injection, or suspicious memory reads
LSASS Memory Access: Unusual processes reading LSASS.exe memory (PID typically 500-700)
Mimikatz Strings: File or memory contains strings like "sekurlsa", "kerberos::golden", "gentilkiwi"
Process Injection: CreateRemoteThread or similar injection techniques targeting LSASS
Event ID 4688: Process creation with suspicious command line (e.g., "privilege::debug")
Event ID 10: Sysmon logs showing OpenProcess on LSASS with suspicious source process
Understanding Mimikatz helps Blue Teams secure Windows environments and detect credential theft:
๐ก Blue Team Practice: Test Mimikatz against your systems to validate Credential Guard, LSA Protection, and detection capabilities. Ensure your EDR/SIEM alerts on LSASS access attempts.