Tools and code analysisAttacks and exploitsIntermediate27 min read

What Is Mimikatz? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Mimikatz is a tool that can pull passwords and other secret information straight out of a computer’s memory. It is often used by hackers to steal login details after they have already broken into a system. Security experts also use it to test how well a system can resist this kind of attack.

Common Commands & Configuration

privilege::debug

Elevates Mimikatz to the required debug privilege (SeDebugPrivilege) to access LSASS memory. Must be run first before any dumping commands.

Tests understanding that Mimikatz requires administrative privileges and SeDebugPrivilege, which is not enabled by default. Questions may ask about the first step in credential dumping.

sekurlsa::logonpasswords

Dumps plaintext passwords, NTLM hashes, and SHA1 hashes for all currently logged on users from LSASS memory.

The most famous Mimikatz command. Exam scenarios often describe an admin seeing this command in event logs and needing to identify it as a credential theft attempt.

lsadump::sam

Dumps the Security Account Manager (SAM) registry hive to extract local user password hashes (NTLM and LM) from a Windows system.

Tests knowledge of SAM hive location (HKEY_LOCAL_MACHINESAM) and that local hashes are stored there. Useful for lateral movement from a compromised local admin account.

lsadump::dcsync /user:DOMAIN\Administrator

Performs a DCSync attack by simulating a Domain Controller replication request to extract the password hash for the specified user (e.g., Administrator) without needing to log into the DC.

Critical for domains: it requires only a domain admin account. Questions often ask how an attacker gets domain admin hash without being on the DC. Also tests understanding of replication permissions.

kerberos::golden /user:Administrator /domain:contoso.com /sid:S-1-5-21-123456789-1234567890-123456789 /krbtgt:1234567890abcdef1234567890abcdef /id:500 /groups:512,519,518,513 /ptt

Creates a forged Kerberos TGT for the Administrator user (RID 500) with domain admin group memberships and injects it into memory (/ptt). Requires the KRBTGT account's NTLM hash.

Tests the exact parameters needed: SID, KRBTGT hash, and group RIDs (512=Domain Admins, 519=Enterprise Admins, 518=Schema Admins, 513=Domain Users). A common exam question is what hash is required.

sekurlsa::tickets /export

Exports all current Kerberos tickets from LSASS memory to .kirbi files on disk, which can then be reused with pass-the-ticket attacks.

Exams may ask how an attacker can capture a service ticket for later use. Format is .kirbi. Often used in lateral movement scenarios.

misc::cmd

Opens an interactive Windows command prompt with the same privileges as the Mimikatz process (often SYSTEM), allowing further actions like creating users or running scripts.

Tests post-exploitation capability. Questions may ask about escalating a command shell from Mimikatz to a SYSTEM-level prompt.

process::list

Lists all running processes with their PIDs, allowing the attacker to target specific processes for injection or memory access.

Useful for identifying LSASS PID (usually 0004 or similar) before dumping. Less commonly tested but shows reconnaissance phase.

Mimikatz appears directly in 6exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →

Must Know for Exams

Mimikatz appears in several IT certification exams because it directly relates to credential security, which is a core topic in security-focused certifications. In the CompTIA Security+ exam (SY0-601 or SY0-701), Mimikatz is typically discussed under Domain 2 (Attacks, Threats, and Vulnerabilities), specifically within the subdomains of password attacks and credential harvesting. Questions may ask about the attack vector that Mimikatz exploits, such as LSASS memory scraping, or ask learners to identify the tool by its behavior.

In the CompTIA CySA+ exam (CS0-002 or CS0-003), which focuses on security operations and analysis, learners are expected to understand Mimikatz as a tool used by threat actors to dump credentials. Exam questions might present a scenario where a malware sample is found to contain Mimikatz code, and the candidate must identify the tool or recommend a mitigation like disabling WDigest or enabling Credential Guard.

The Certified Ethical Hacker (CEH) exam covers Mimikatz as one of the many post-exploitation tools listed in the practical labs. Learners may be asked to select the correct command to extract NTLM hashes using Mimikatz (e.g., sekurlsa::logonpasswords). The OSCP (Offensive Security Certified Professional) exam heavily relies on Mimikatz during the penetration testing process. Candidates are expected to be able to transfer Mimikatz to a target, execute it, and use the stolen credentials for privilege escalation or lateral movement.

In the Microsoft Certified: Security Operations Analyst Associate (SC-200) exam, Mimikatz is relevant to understanding detection and response. Learners need to know how to create detection rules in Microsoft 365 Defender or Sentinel to alert on Mimikatz usage. For example, detecting process access to LSASS from a non-system process. The exam also covers mitigations like Windows Defender Application Control (WDAC) that can block Mimikatz execution.

Finally, the CISSP exam (ISC2) addresses Mimikatz under the domain of Identity and Access Management (IAM) and the protection of authentication mechanisms. While CISSP does not test specific tool commands, it tests the underlying concepts of credential protection and the importance of controlling administrative access.

Simple Meaning

Imagine you have a locked diary where you write down all your secret codes and passwords. Now imagine that someone sneaks into your room and, instead of trying to pick the lock, they simply read the diary while it is open on your desk. That is what Mimikatz does with a computer’s memory. When you log into a Windows computer, the operating system temporarily stores your password or a scrambled version of it in memory so that it can verify your identity quickly. Mimikatz is a tool that can reach into that memory and pull out those secrets, even if they are scrambled. It does not break into the system through the front door; it only works after an attacker already has some level of access.

Think of it like a master key that can open many different lockers inside a building, but only after you have already gotten past the security guard at the entrance. The tool was originally created by a French security researcher named Benjamin Delpy to show how vulnerable Windows systems really are. Over time, criminals adopted it for real-world attacks. For an IT professional, understanding Mimikatz is crucial because it reveals a fundamental weakness in how Windows handles authentication. The tool itself is not malicious; it is just a piece of software. It becomes dangerous only when used by someone with bad intentions. Learning about Mimikatz helps you understand why simply having a strong password is not enough and why additional protections like multi-factor authentication or Windows Defender Credential Guard are necessary.

Full Technical Definition

Mimikatz is a post-exploitation tool that operates by exploiting the Windows Local Security Authority Subsystem Service (LSASS) process. LSASS is a system process responsible for enforcing the security policy on Windows systems, handling user authentication, and storing credentials in memory to facilitate single sign-on. When a user logs in, LSASS holds a copy of the password hash (NTLM hash) or the plaintext password itself, depending on the version of Windows and the authentication protocol in use. Mimikatz gains access to the memory space of LSASS, reads the stored credential material, and outputs it in a human-readable or reusable format.

The tool supports multiple attack modules, including sekurlsa::logonpasswords, which extracts clear-text passwords and NTLM hashes from LSASS memory. Another module, kerberos::golden, is used to forge Kerberos Ticket Granting Tickets (TGTs), enabling an attacker to impersonate any user in an Active Directory domain. The dpapi::crypto module can decrypt data protected by the Data Protection API (DPAPI). Mimikatz also interacts with the Windows Security Account Manager (SAM) registry hive to extract local account hashes.

From a technical standpoint, Mimikatz requires administrative or SYSTEM-level privileges to access LSASS process memory. It uses Windows API calls such as OpenProcess, VirtualAllocEx, and WriteProcessMemory to read the target process. The tool can also bypass security mechanisms like Windows Defender Credential Guard by accessing the isolated user mode (IUM) if the system is not fully hardened. In modern Windows 10 and Windows Server 2016+, Credential Guard uses virtualization-based security to protect credentials, making LSASS memory inaccessible to Mimikatz. However, if the attack is performed from within the kernel or if the machine lacks hardware virtualization support, the protection may be circumvented.

Mimikatz is written in C and runs natively on Windows. It can be executed from a command line or through scripts, and it has been ported to PowerShell as part of the Invoke-Mimikatz module. The tool is commonly used in red team operations to simulate credential theft and in penetration testing to evaluate the effectiveness of credential protection mechanisms. Its presence in a compromised environment is a strong indicator of an advanced persistent threat (APT) actor, as many malware families and ransomware variants use Mimikatz in their attack chains.

Real-Life Example

Imagine you are renting a storage unit at a facility. You have a padlock on your unit, and you think your items are safe. But the facility manager has a master key that opens every unit, including yours. Now imagine that a dishonest employee steals the master key and uses it to open your unit while you are away. That is exactly what Mimikatz does with Windows credentials.

In this analogy, the storage unit is your Windows computer memory. The padlock is the basic security that Windows puts in place to protect your passwords. The facility manager is the LSASS process that holds the master key because it needs to verify your identity every time you access your files. The dishonest employee is the attacker who already has some level of access to your system, like a user account with limited rights. Mimikatz is the tool that allows that employee to steal the master key and open every locked door in the system.

Just like the storage facility would need better security, such as separate keys for each unit and a 24-hour guard, Windows needs additional protections like Credential Guard, multi-factor authentication, and regular security updates to prevent Mimikatz from succeeding. The analogy shows that even if you have a strong password (a good lock), the real vulnerability is in how the system handles that password after you log in. The tool does not crack your password; it simply copies it from where the system has stored it.

Why This Term Matters

Mimikatz matters because it reveals a fundamental truth about Windows authentication: credentials stored in memory are not as safe as most people think. For years, users and even some IT administrators believed that hashed passwords were impossible to reverse. Mimikatz proved that it does not matter whether the password is hashed or encrypted in memory because the tool can extract the hash or even the plaintext directly from the LSASS process. This changes the security conversation from "how strong is your password" to "how well is your memory protected."

In a practical IT context, understanding Mimikatz helps administrators harden their systems. It drives the adoption of features like Windows Defender Credential Guard, which isolates LSASS in virtualized secure memory, and the use of Protected Users Security Group in Active Directory, which prevents caching of credentials. It also reinforces the importance of limiting administrative privileges and using local administrator password solutions (LAPS) to avoid credential reuse.

For incident responders and forensics analysts, Mimikatz is a critical artifact. When a system is compromised, detecting Mimikatz execution can provide evidence of the attacker’s intent and movement. Conversely, red teams use Mimikatz to test whether an organization’s defense mechanisms are effective. The tool is a double-edged sword, and its importance cannot be overstated. Without Mimikatz, many of the modern security best practices around credential management would not exist.

How It Appears in Exam Questions

In certification exams, Mimikatz questions typically fall into three patterns: scenario-based, tool identification, and mitigation.

Scenario-based questions describe a security incident and ask the candidate to identify the tool used. For example: "A security analyst notices that a user's credentials were used to access a server from a remote workstation. An investigation reveals that the attacker used a tool to dump the password hash from the local machine's memory. Which tool was most likely used?" The answer is Mimikatz. Another scenario might describe an attacker who, after gaining admin access, runs a command that extracts all cached passwords from the LSASS process. The question may ask which module or command is used.

Tool identification questions often present a command or output. For instance: "An attacker runs the following command: sekurlsa::logonpasswords. Which tool is being executed?" The answer is Mimikatz. Some questions may show a list of processes and ask which process is being targeted by Mimikatz (LSASS.exe).

Mitigation questions ask how to prevent Mimikatz from working. For example: "Which security feature prevents Mimikatz from accessing credentials stored in LSASS by isolating it in a virtualized environment?" The answer is Windows Defender Credential Guard. Or: "Which registry setting should be set to prevent WDigest from storing plaintext passwords in memory?" The answer is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest, with UseLogonCredential set to 0.

Troubleshooting questions may also appear in the context of a penetration test. For example: "A pentester runs Mimikatz but receives an error saying memory access denied. What is the most likely reason?" The answer could be that the system has Credential Guard enabled. Or: "Mimikatz outputs only NTLM hashes but not plaintext passwords. What is the most likely reason?" The answer could be that the user logged in with a Microsoft account (pass-through authentication) or that the system is configured to use Credential Guard.

Practise Mimikatz Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a security analyst for a medium-sized company. One morning, you receive an alert from the endpoint detection system: a suspicious process named 'mimikatz.exe' was detected on a file server. The alert shows that the process was launched from a command prompt by a user named 'jdoe', who is a standard domain user.

You investigate further and find that the user 'jdoe' had previously reported a slow computer and that a help desk technician had granted 'jdoe' local administrator rights to install a printer driver two days ago. The attacker, who had compromised 'jdoe's account, used those admin rights to run Mimikatz on the file server. The tool successfully extracted the NTLM hash of the domain administrator account that had logged into that file server during the weekly maintenance window.

With that hash, the attacker was able to perform a pass-the-hash attack and gain full control over the domain controller.

As a security analyst, you need to explain to management how this happened. You describe that Mimikatz read the memory of the LSASS process, which held the domain admin credentials because the admin had connected to the file server remotely. You recommend implementing Windows Defender Credential Guard on all sensitive servers, revoking the local admin rights from standard users, and enabling monitoring for LSASS memory access attempts. This scenario illustrates how a single oversight-giving a user unnecessary admin rights-can lead to a full domain compromise using Mimikatz.

Common Mistakes

Believing that Mimikatz only works on old Windows versions like XP or 7.

Mimikatz works on modern Windows 10, Windows 11, and Windows Server 2019 and 2022, although some protections like Credential Guard can block it. It is not limited to legacy systems.

Assume that any Windows system without Credential Guard or proper hardening is vulnerable to Mimikatz, regardless of its version.

Thinking that a strong password alone protects against Mimikatz.

Mimikatz does not crack or brute-force passwords. It steals the hash or plaintext password directly from memory. Even the most complex password is extracted instantly if stored in LSASS memory.

Use additional protections like multi-factor authentication, Credential Guard, and limit administrative privileges to reduce the risk of credential theft.

Confusing Mimikatz with a password cracking tool like John the Ripper or Hashcat.

Mimikatz is a credential dumper, not a cracker. It extracts existing credentials from memory, whereas cracking tools try to reverse a hash by guessing the plaintext input.

Understand that Mimikatz works post-exploitation on a live system, while cracking tools are usually run offline against a captured hash file.

Assuming that enabling Windows Defender Credential Guard on all systems is enough and that no other measures are needed.

Credential Guard protects only domain credentials and does not protect local account credentials or certificates stored in memory. It also requires hardware virtualization support and is not forward compatible with all Windows editions.

Use a layered security approach: Credential Guard, LAPS, Remote Credential Guard, Protected Users group, and regular patch management.

Thinking that user awareness training can prevent Mimikatz attacks.

Mimikatz requires administrative privileges to run. User awareness training alone cannot prevent an attacker who already has admin rights from executing the tool. Training helps prevent the initial breach but is not a direct mitigation.

Combine training with technical controls like application whitelisting, least privilege, and attack surface reduction rules.

Exam Trap — Don't Get Fooled

{"trap":"The exam question says \"An attacker uses a tool to extract plaintext passwords from a Windows system by reading the memory of a specific process. Which process is targeted?\" and the answer choices include lsass.

exe, winlogon.exe, svchost.exe, and explorer.exe. Some learners might choose winlogon.exe because they know it handles interactive logons.","why_learners_choose_it":"Winlogon.exe is responsible for the interactive logon process and may seem like the logical target for credential theft.

Learners who do not know the specific LSASS memory dump technique might assume credentials are held in winlogon.","how_to_avoid_it":"Remember that LSASS (Local Security Authority Subsystem Service) is the process that caches logon credentials for single sign-on. Mimikatz specifically targets lsass.

exe. Winlogon handles the logon UI and passes credentials to LSASS but does not store them long-term."

Commonly Confused With

MimikatzvsPass-the-Hash (PtH) attack

Mimikatz is a tool that extracts password hashes from memory, while pass-the-hash is a technique that uses those hashes to authenticate to other systems without needing the plaintext password. Mimikatz enables pass-the-hash by providing the hash, but they are not the same thing.

Mimikatz is like a lock pick that opens a safe to get the key inside. Pass-the-hash is using that key to unlock other doors.

MimikatzvsWindows Credential Guard

Windows Defender Credential Guard is a security feature that prevents Mimikatz from accessing LSASS memory by isolating it in a virtualized secure environment. They are opposites: Credential Guard blocks the tool that Mimikatz represents.

If Mimikatz is a thief that picks locks, Credential Guard is a security system that makes the lock impossible to pick by encasing it in a solid steel box.

MimikatzvsHashcat

Hashcat is a password cracking tool that takes an NTLM hash file and attempts to find the plaintext password through brute force or dictionary attacks. Mimikatz extracts the hash from a live system; Hashcat works offline and does not require access to the original machine.

Mimikatz is like stealing a locked box from a house. Hashcat is like trying every possible key to open the box once you are safely home.

MimikatzvsLSASS (Local Security Authority Subsystem Service)

LSASS is the Windows process that stores credentials in memory. Mimikatz is the tool that reads that memory. It is like confusing the bank vault with the burglar who robs it.

LSASS is the safe inside a store. Mimikatz is the thief who cracks open the safe.

Step-by-Step Breakdown

1

Initial Access

The attacker gains initial access to a Windows system, typically through phishing, exploiting a vulnerability, or using stolen credentials. Mimikatz only works after the attacker has a foothold.

2

Privilege Escalation

Mimikatz requires administrative or SYSTEM-level privileges to access LSASS memory. The attacker must escalate privileges if they only have a standard user account. This can be done using system exploits or by leveraging misconfigurations.

3

Execution of Mimikatz

The attacker uploads or downloads Mimikatz onto the target system. The tool can be executed as a standalone binary (mimikatz.exe), a DLL, or through PowerShell using Invoke-Mimikatz. Execution is often launched from a command prompt with elevated privileges.

4

Command Input

The attacker runs the Mimikatz command 'privilege::debug' to enable the necessary privilege (SeDebugPrivilege) which allows reading memory of other processes. Without this step, LSASS memory access is denied.

5

Credential Extraction

The attacker runs 'sekurlsa::logonpasswords' to dump credentials from LSASS memory. The tool outputs NTLM hashes and, if available, plaintext passwords for all logged-in users. These may include local accounts, domain accounts, and service accounts.

6

Post-Exploitation

The attacker uses the extracted credentials to move laterally across the network. For example, they can pass the hash to access other servers, or they can forge Kerberos tickets using the 'kerberos::golden' module to gain domain admin privileges.

7

Covering Tracks

The attacker may delete the Mimikatz binary or use reflective loading techniques to avoid writing to disk. They may also clear event logs to hide evidence of execution.

Practical Mini-Lesson

Mimikatz is not a tool you install once and forget. It requires careful handling, and security professionals need to understand its behavior to defend against it or use it responsibly in penetration testing. When you run Mimikatz on a test system, always start by right-clicking Command Prompt and selecting "Run as administrator." This step is non-negotiable because without administrative rights, the tool cannot enable SeDebugPrivilege.

Once you have the console open, the first command is 'privilege::debug'. This command grants the current process the right to read the memory of other processes. If this command fails, check whether the account has admin rights or if Credential Guard is enabled. You can verify with '!process token' to see your current token privileges.

After privileges are set, run 'sekurlsa::logonpasswords'. This will output a list of all active logon sessions and the associated credentials. You will see columns like Username, Domain, NTLM hash, and sometimes plaintext password (under the 'Password' field). The NTLM hash is a 32-character hexadecimal string. In a real penetration test, you may only see hashes and not plaintext, especially on newer systems.

One common issue is that Mimikatz may output 'ERROR kuhl_m_sekurlsa_acquireLSA' or 'Access denied'. This usually indicates that the system has some form of credential protection. Check if the Target Host has the 'Isolated User Mode' (IUM) process running, which indicates Credential Guard. In such cases, you may need to target the system from a kernel perspective or use an alternative attack like dumping the SAM hive via registry instead.

What can go wrong? If you run Mimikatz on a live production environment without authorization, you could crash LSASS and force the system to reboot. Some antivirus software will detect Mimikatz and quarantine it immediately. To avoid detection, experienced users rename the binary or use the PowerShell reflection method, which loads Mimikatz directly into memory without writing to disk.

For professionals, the most important takeaway is that Mimikatz is not a magic wand. It is a diagnostic tool that shows the real risk of credential caching. When you understand how Mimikatz works, you can justify the cost of implementing Credential Guard, LAPS, and multi-factor authentication. It also helps you audit your environment: run Mimikatz on a test machine after applying security updates to verify that protections are working.

Mimikatz Credential Dumping Mechanisms and Impact on Windows Security

Mimikatz is a post-exploitation tool developed by Benjamin Delpy that is widely used by penetration testers, red teams, and unfortunately, malicious attackers to extract plaintext passwords, hashes, PINs, and Kerberos tickets from Windows memory. Its core functionality revolves around abusing the Local Security Authority Subsystem Service (LSASS) process, which caches credential material for single sign-on and other authentication purposes. Understanding how Mimikatz works is critical for IT professionals preparing for certification exams such as CompTIA Security+, CISSP, and CEH, as it demonstrates the real-world implications of insufficient memory protection and privilege escalation.

The primary attack vector for Mimikatz requires administrative or SYSTEM-level privileges on the target Windows machine. Once these privileges are obtained, typically through exploitation of remote vulnerabilities or lateral movement, Mimikatz can interface with LSASS to read its memory space. The most famous command is sekurlsa::logonpasswords, which enumerates all logon sessions stored in LSASS and attempts to decrypt any passwords or hashes using built-in Windows APIs. In older versions of Windows (pre-Windows 10 1803), this was almost always successful because LSASS stored credentials in reversible or easily accessible forms. Even with modern mitigations like Credential Guard and Windows Defender Credential Guard, Mimikatz has evolved to bypass certain protections by targeting secondary caches, such as the SAM registry hive or the Domain Controller's NTDS.dit file.

The impact of a successful Mimikatz attack is severe. An attacker can gain access to domain administrator credentials, service account passwords, and user credentials, which can then be used for privilege escalation, persistence, lateral movement, and data exfiltration. For example, extracting the NTLM hash of a domain administrator enables pass-the-hash attacks against other systems on the network. The tool also supports extracting Kerberos tickets, which can be used for pass-the-ticket and golden ticket attacks, granting unauthorized access to any resource in the domain. For exams, this underscores the importance of least privilege, multi-factor authentication, and implementing protections like LSA protection (RunAsPPL), Credential Guard, and restricting debug privileges. Questions may ask about the specific command to dump credentials or the registry keys that Mimikatz targets, such as HKEY_LOCAL_MACHINESAM.

To defend against Mimikatz, organizations should enable Windows Defender Credential Guard on all supported Windows 10/11 Enterprise and Server editions, which virtualizes LSASS and prevents direct memory access from user-mode processes. Setting the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaRunAsPPL to 1 enables LSA protection, making it harder for Mimikatz to read LSASS memory. Regular patching, application whitelisting, and monitoring for known Mimikatz binaries or execution patterns (e.g., powershell -exec bypass -command Invoke-Mimikatz) are also effective. On exams, you may be asked to identify the most effective countermeasure or to analyze a log entry that shows Mimikatz execution. Understanding these mechanisms is essential for any security professional aiming to protect Windows environments from credential theft.

Mimikatz Kerberos Ticket Attacks: Golden Tickets, Silver Tickets, and Forged Tickets

Beyond simple password dumping, Mimikatz is infamous for its ability to manipulate Kerberos authentication, which is the backbone of authentication in Active Directory environments. These attacks exploit the trust relationships and ticket-granting system that Kerberos uses, allowing attackers to forge authentication tickets and gain unauthorized access without ever needing a plaintext password. For certification exams like CompTIA Security+ and CISSP, these attacks are classic examples of authentication bypass and trust exploitation, often presented in scenario-based questions.

The most dangerous of these is the Golden Ticket attack. To execute this, an attacker needs the KRBTGT account's NTLM hash, which is stored only on the Domain Controller. Once obtained (often via LSASS dumping), Mimikatz can forge a Kerberos Ticket Granting Ticket (TGT) that is valid for any user, group, or resource in the domain. For example, the command kerberos::golden /user:Administrator /domain:contoso.com /sid:S-1-5-21-123456789-1234567890-123456789 /krbtgt:1234567890abcdef1234567890abcdef /id:500 /groups:512,519,518,513 creates a TGT for the built-in Administrator account with domain admin group memberships. This ticket is valid for up to 10 years by default (or until the KRBTGT password is rotated twice), giving the attacker persistent domain admin access. On exams, you might be asked what the command generates or what the necessary prerequisites are (KRBTGT hash and domain SID).

A closely related attack is the Silver Ticket, which forges a service ticket (TGS) for a specific service, such as CIFS (file sharing), HTTP (web services), or LDAP (directory services). Unlike the Golden Ticket, which grants access to everything, a Silver Ticket only gives access to the targeted service, but it does not require communication with the Domain Controller, making it stealthier. For instance, the command kerberos::golden /user:ServiceUser /domain:contoso.com /sid:S-1-5-21-123456789 /target:server.contoso.com /service:CIFS /rc4:abcdef... /ptt injects a forged service ticket for file access. Since the service validates the ticket using the service account's NTLM hash, the attacker only needs that hash, which can be dumped from the service's LSASS. Exams often contrast Golden vs. Silver tickets: Golden tickets give domain-wide access but require the KRBTGT hash; Silver tickets give limited access but are easier to obtain and less likely to trigger alerts.

Mimikatz also supports pass-the-ticket (PTT) attacks, where an existing Kerberos ticket is extracted and reused on another machine. The command kerberos::ptt ticket.kirbi loads a captured ticket into the current session, allowing immediate access to resources the ticket authorizes. This is often combined with sekurlsa::tickets /export to dump all current tickets. Understanding these attacks is crucial because they bypass traditional password-based defenses and are often missed by standard antivirus. Defenses include using Managed Service Accounts (gMSAs) with automatic password rotation, enabling Kerberos armoring (FAST), and monitoring for anomalous ticket requests or usage. For IT certification exams, expect questions about the difference between Golden and Silver tickets, the hash required for each, and which groups are added to a forged ticket to escalate privileges.

Troubleshooting Clues

Symptom: Mimikatz launches but shows 'ERROR kuhl_m_sekurlsa_acquireLSA'

Symptom: Mimikatz outputs only NTLM hashes, no plaintext passwords

Symptom: Antivirus immediately quarantines the Mimikatz binary

Memory Tip

Remember 'MIMI' as 'Memory Into Memory, Invading', Mimikatz invades LSASS memory to steal credentials. The key letters 'LS' help you recall it targets LSASS.

Learn This Topic Fully

This glossary page explains what Mimikatz means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.What is the first command that must be executed in Mimikatz before attempting to dump credentials with sekurlsa::logonpasswords?

2.Which hash is required to perform a Golden Ticket attack with Mimikatz?

3.A security analyst finds a log entry showing the command 'lsadump::dcsync /user:CONTOSO\krbtgt' executed on a compromised workstation. What is the most likely goal?

4.How does Windows Defender Credential Guard prevent Mimikatz from dumping credentials from LSASS memory?

5.Which Mimikatz command would an attacker use to inject a previously extracted Kerberos ticket into their current logon session on a new machine?

Frequently Asked Questions

Is Mimikatz illegal to use?

Mimikatz itself is not illegal; it is a legitimate security testing tool. However, using it on a system without explicit authorization is considered illegal hacking and can result in criminal charges.

Can Mimikatz steal passwords from a remote computer?

Mimikatz runs locally on a compromised machine. It cannot directly target a remote computer's memory, but an attacker can copy the tool to a remote system after gaining access.

Does encrypting the hard drive with BitLocker protect against Mimikatz?

No. BitLocker protects data at rest, but once Windows is running and the user logs in, credentials are stored in RAM, which Mimikatz can access.

Does Windows Defender detect Mimikatz?

Yes, Windows Defender antivirus will detect and block the Mimikatz binary as a hack tool. However, attackers often rename or obfuscate the tool to evade detection.

What is the difference between sekurlsa::logonpasswords and lsadump::sam?

sekurlsa::logonpasswords extracts credentials from the LSASS process memory, which includes currently logged-in users. lsadump::sam reads the local SAM registry hive, which contains local user account hashes.

Can Mimikatz work on Linux or macOS?

No, Mimikatz is specifically designed for Windows. It relies on Windows APIs and processes like LSASS that do not exist on other operating systems.

Why does Mimikatz sometimes show passwords in plaintext and sometimes only hashes?

It depends on the Windows version and configuration. On older systems (Windows 7 and earlier) and systems with WDigest enabled, plaintext passwords are stored. On newer systems with Credential Guard, only hashes are available.

Summary

Mimikatz is a powerful open-source tool that exposes a critical weakness in Windows authentication by extracting credentials directly from memory. It is not a password cracker but a credential dumper that works after an attacker already has a foothold. Understanding Mimikatz is essential for IT professionals because it drives the adoption of advanced security features like Windows Defender Credential Guard, the Protected Users Security Group, and the principle of least privilege.

From an exam perspective, Mimikatz appears in Security+, CySA+, CEH, OSCP, and SC-200 exams, usually in the context of identifying the tool, understanding its target process (LSASS), and knowing mitigations. The most common exam traps involve confusing it with password cracking tools or thinking it only works on old systems.

The key takeaway for any IT learner is that Mimikatz is not something to fear, but something to understand. By learning how it works, you can better protect your systems and recognize the signs of a credential theft attack. Always remember: if an attacker has admin rights, Mimikatz can steal any credential stored in memory. The only defense is to ensure that credentials are never stored in memory in the first place, or to isolate that memory through virtualization.