This chapter covers Mimikatz, the most powerful post-exploitation tool for credential extraction on Windows systems. For the PT0-002 exam, understanding Mimikatz is critical as it directly maps to Objective 3.4 (Attacks and Exploits) and appears in roughly 5-8% of exam questions. You will learn how Mimikatz works internally, the exact commands to extract credentials from LSASS memory, and how to defend against it. Mastery of this topic is essential for any penetration tester targeting Windows environments.
Jump to a section
Imagine a large hotel with thousands of guest rooms, each locked with a unique keycard. The hotel also has a master key that can open every room. This master key is stored in a secure safe in the manager's office, but the hotel's computer system keeps a copy of the master key in memory whenever a staff member uses it to clean rooms. An attacker (Mimikatz) sneaks into the hotel's network and runs a program that dumps the contents of the computer's RAM. From that memory dump, the attacker extracts the master key's digital code. Now, the attacker can create a duplicate master keycard and access any room in the hotel. In Windows terms, the master key is the LSASS process memory, which holds hashed credentials (like NTLM hashes) and sometimes even plaintext passwords. Mimikatz uses specific functions (sekurlsa::logonpasswords) to extract these credentials from memory, just as the attacker dumps the hotel's RAM. The extracted hashes can be used in pass-the-hash attacks to impersonate users without needing the plaintext password. Additionally, Mimikatz can extract Kerberos tickets (TGTs and service tickets) from memory, allowing an attacker to perform pass-the-ticket attacks. The hotel's security system (Windows Defender, LSA protection) may try to prevent memory dumping, but Mimikatz can bypass these protections if run with appropriate privileges (SeDebugPrivilege).
What is Mimikatz and Why Does It Exist?
Mimikatz is an open-source post-exploitation tool created by Benjamin Delpy (gentilkiwi) that extracts plaintext passwords, NTLM hashes, and Kerberos tickets from Windows memory. It exploits the fact that Windows stores credentials in memory (LSASS process) for caching purposes, such as single sign-on (SSO) and network authentication. The tool is not an exploit in itself; it requires administrative privileges (SYSTEM or local admin) to access LSASS memory. Mimikatz is commonly used by penetration testers and attackers after gaining initial foothold on a Windows system.
How Mimikatz Works Internally
Mimikatz interacts with the Local Security Authority Subsystem Service (LSASS) process, which is responsible for enforcing security policies and handling authentication. LSASS stores credentials in memory in various forms: - Plaintext passwords: When Windows uses WDigest (disabled by default on modern Windows, but can be enabled), passwords are stored in reversible form. - NTLM hashes: Used for legacy authentication protocols. - Kerberos tickets: Ticket Granting Tickets (TGTs) and service tickets are cached for SSO.
Mimikatz uses the Windows API to open a handle to LSASS with necessary privileges (SeDebugPrivilege), then reads the memory regions where credential structures are stored. The key module is sekurlsa::logonpasswords, which enumerates all logon sessions and extracts credentials. The extraction process relies on internal Windows structures like logon session, msv1_0, wdigest, and kerberos packages.
Key Components, Values, and Defaults
LSASS Process: PID varies; can be found via tasklist /fi "imagename eq lsass.exe". On Windows 10/11, LSASS runs under C:\Windows\System32\lsass.exe.
SeDebugPrivilege: Required to access LSASS memory. By default, only SYSTEM and Administrators have this privilege. Mimikatz must be run as Administrator.
WDigest: Legacy authentication package that stores plaintext passwords in memory. Disabled by default on Windows 8.1/2012 R2 and later. Can be enabled via registry: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest key UseLogonCredential set to 1.
NTLM Hashes: Stored in memory regardless of WDigest state. Extracted via sekurlsa::msv.
Kerberos Tickets: Cached in memory with default lifetime of 10 hours (TGT) and variable service ticket lifetimes. Extracted via sekurlsa::kerberos or sekurlsa::tickets.
LSA Protection (RunAsPPL): Windows 8.1/2012 R2 introduced LSA protection to prevent non-PPL (Protected Process Light) processes from accessing LSASS. Mimikatz can bypass with driver mimidrv.sys or by using !+ and !- commands to enable/disable debug mode.
Configuration and Verification Commands
To use Mimikatz: 1. Download mimikatz.exe (often renamed to evade AV). 2. Run as Administrator:
privilege::debug
sekurlsa::logonpasswordsprivilege::debug enables SeDebugPrivilege.
sekurlsa::logonpasswords dumps all credentials.
Other useful commands:
sekurlsa::msv # Dump NTLM hashes only
sekurlsa::wdigest # Dump WDigest plaintext (if enabled)
sekurlsa::tickets /export # Export Kerberos tickets to files
kerberos::ptt <ticket.kirbi> # Pass-the-ticket
sekurlsa::pth /user:admin /domain:contoso /ntlm:<hash> # Pass-the-hash (creates a new process with injected token)How Mimikatz Interacts with Related Technologies
PowerShell Empire and Cobalt Strike: These frameworks integrate Mimikatz modules (e.g., Invoke-Mimikatz in PowerShell) to run in memory without dropping the binary to disk.
Windows Defender: Modern AV detects Mimikatz signatures. Attackers often use obfuscation or custom builds to bypass detection.
Credential Guard: On Windows 10/2016+, Credential Guard uses virtualization-based security to isolate LSASS, preventing direct memory access even with SYSTEM privileges. Mimikatz fails against Credential Guard unless the attacker also compromises the hypervisor.
LSA Protection (RunAsPPL): When enabled, LSASS runs as a Protected Process Light (PPL). Mimikatz can bypass this by loading a signed driver (mimidrv.sys) or by using the !+ command to first elevate to PPL and then dump.
Detailed Mechanism of sekurlsa::logonpasswords
Mimikatz opens a handle to LSASS using OpenProcess with PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags.
It calls NtQuerySystemInformation to enumerate logon sessions (LUIDs).
For each session, it uses LsaCallAuthenticationPackage to query credential data from the security packages (msv1_0, wdigest, kerberos).
The data is decrypted using internal keys (e.g., lsasrv.dll routines). Mimikatz mimics the same decryption process that LSASS uses.
Results are displayed in a structured format showing username, domain, NTLM hash, and if available, plaintext password.
Defenses Against Mimikatz
Enable LSA Protection: Set registry HKLM\SYSTEM\CurrentControlSet\Control\Lsa key RunAsPPL to dword:00000001.
Enable Credential Guard: Via Group Policy or Windows Defender Device Guard.
Disable WDigest: Ensure UseLogonCredential is 0 (default on modern Windows).
Limit Privileges: Remove SeDebugPrivilege from unnecessary accounts.
Use Microsoft LAPS: Local Administrator Password Solution randomizes local admin passwords.
Monitor for Mimikatz: Event ID 4672 (special privileges assigned), 4624 (logon), and 4688 (process creation) with command lines containing "mimikatz" or "privilege::debug".
Pass-the-Hash and Pass-the-Ticket
Mimikatz enables pass-the-hash (PtH) and pass-the-ticket (PtT) attacks:
- PtH: Using the NTLM hash extracted from memory, an attacker can authenticate to remote systems without knowing the plaintext password. Command: sekurlsa::pth /user:admin /domain:contoso /ntlm:aad3b435b51404eeaad3b435b51404ee.
- PtT: Using a Kerberos ticket exported from memory, an attacker can impersonate a user until the ticket expires. Command: kerberos::ptt ticket.kirbi.
Gain Administrative Access
Mimikatz requires administrative privileges (SeDebugPrivilege) to access LSASS memory. This is typically achieved after successful exploitation (e.g., via remote code execution, privilege escalation, or social engineering). Without admin rights, Mimikatz cannot open a handle to LSASS and will fail with an error. The attacker must first escalate privileges using tools like JuicyPotato, PrintNightmare, or token manipulation.
Enable Debug Privilege
Run `privilege::debug` inside Mimikatz. This command enables the SeDebugPrivilege for the current process, which is necessary to read LSASS memory. Without this step, subsequent commands will return errors. On systems with LSA protection (RunAsPPL), additional steps like `!+` are needed to elevate to PPL mode before debugging.
Extract Credentials with sekurlsa::logonpasswords
Execute `sekurlsa::logonpasswords`. Mimikatz enumerates all active logon sessions by querying the LSASS process. For each session, it calls the authentication packages (msv, wdigest, kerberos) to retrieve credential data. The output includes username, domain, NTLM hash, and sometimes plaintext password (if WDigest is enabled). This command dumps credentials from all users currently logged on, including services and scheduled tasks.
Extract NTLM Hashes Only
Run `sekurlsa::msv` to extract only NTLM hashes. This is faster and more focused than `logonpasswords`. The hashes are displayed in hexadecimal format. These hashes can be used directly for pass-the-hash attacks or offline cracking with tools like Hashcat (mode 1000). The output also includes the username and domain associated with each hash.
Extract Kerberos Tickets
Use `sekurlsa::tickets /export` to export all cached Kerberos tickets to .kirbi files. These tickets can be used for pass-the-ticket attacks to impersonate users without needing passwords. The command exports both TGTs and service tickets. The tickets are saved in the current directory with filenames like `[0;XXXXXX]-2-60-XXXXXXXX.kirbi`. The attacker can then inject a ticket using `kerberos::ptt <filename>`.
In enterprise environments, Mimikatz is frequently used during red team engagements to demonstrate the risk of credential theft. A common scenario is after gaining initial access via phishing—for example, an attacker compromises a workstation of a helpdesk employee who has local admin rights. The attacker runs Mimikatz to extract the NTLM hash of a domain admin who recently logged on to that workstation for troubleshooting. Using pass-the-hash, the attacker moves laterally to the domain controller and extracts the KRBTGT hash, enabling a Golden Ticket attack for persistent access. In production, defenders often enable LSA Protection and Credential Guard on sensitive systems (e.g., domain controllers, admin workstations) to block Mimikatz. However, many organizations still have legacy systems (Windows 7, Server 2008) where Mimikatz works unimpeded. A misconfiguration example: an admin enables WDigest via registry for compatibility with an old application, inadvertently storing plaintext passwords in memory. The pentester finds this and extracts cleartext credentials for multiple users. Another scenario: during an internal penetration test, the tester discovers that the local admin password is identical across all workstations (not using LAPS). After extracting the NTLM hash from one machine, they can authenticate to hundreds of others. Proper defense includes implementing LAPS, enabling Windows Defender Credential Guard, and monitoring for Event ID 4672 (special privileges assigned to new logon) which often indicates Mimikatz usage. Performance considerations: on systems with many concurrent logon sessions (e.g., terminal servers), Mimikatz may take several seconds to enumerate all credentials, but this is rarely an issue in practice.
The PT0-002 exam tests Mimikatz under Objective 3.4 (Given a scenario, perform post-exploitation techniques). Specific objective codes include 3.4.1 (Credential dumping) and 3.4.2 (Pass-the-hash). The exam expects you to know:
The exact command to enable debug privileges: privilege::debug.
The command to dump all credentials: sekurlsa::logonpasswords.
That Mimikatz extracts credentials from LSASS memory.
That NTLM hashes are stored in memory and can be used for pass-the-hash.
That Kerberos tickets can be exported and used for pass-the-ticket.
Defenses: LSA Protection (RunAsPPL), Credential Guard, disabling WDigest.
Common wrong answers candidates choose:
1. "Mimikatz extracts passwords from the SAM database" – This is false; SAM contains local account hashes but Mimikatz primarily targets LSASS memory for currently logged-on users. The SAM can be dumped with lsadump::sam but that's a separate function.
2. "Mimikatz requires SYSTEM privileges, not just admin" – While SYSTEM is optimal, local admin with SeDebugPrivilege is sufficient. Many candidates think only SYSTEM works.
3. "Pass-the-hash requires the plaintext password" – No, it uses the NTLM hash directly without cracking.
4. "Mimikatz can extract credentials from any Windows version without restrictions" – Modern Windows with Credential Guard blocks Mimikatz, and LSA protection requires bypass.
Edge cases: The exam may ask what happens if WDigest is disabled – answer: no plaintext passwords, but NTLM hashes still extracted. Another edge: on systems with Credential Guard, Mimikatz fails entirely. The exam loves to test the difference between local admin and SYSTEM – remember that local admin can run Mimikatz if they have SeDebugPrivilege (which they do by default). To eliminate wrong answers, focus on the mechanism: LSASS memory stores credentials for currently logged-on users, not the SAM database. Defenses like Credential Guard use virtualization-based security, not just registry keys.
Mimikatz extracts credentials from LSASS memory, not the SAM database.
The command `privilege::debug` enables SeDebugPrivilege, required before dumping credentials.
`sekurlsa::logonpasswords` dumps all available credentials including NTLM hashes and plaintext passwords (if WDigest enabled).
NTLM hashes can be used for pass-the-hash attacks without cracking.
Kerberos tickets can be exported with `sekurlsa::tickets /export` and injected with `kerberos::ptt`.
LSA Protection (RunAsPPL) and Credential Guard are effective defenses, but Mimikatz can bypass LSA Protection with a driver.
WDigest must be enabled for plaintext passwords to be stored in memory; it is disabled by default on modern Windows.
Mimikatz requires administrative privileges, not necessarily SYSTEM.
Pass-the-hash uses the NTLM hash directly; no plaintext password needed.
Event ID 4672 (special privileges assigned) and 4688 (process creation) can indicate Mimikatz usage.
These come up on the exam all the time. Here's how to tell them apart.
Mimikatz
Extracts credentials from LSASS memory, including NTLM hashes, Kerberos tickets, and plaintext passwords if WDigest is enabled.
Requires administrative privileges (SeDebugPrivilege) to access LSASS.
Can be used for pass-the-hash and pass-the-ticket attacks after extraction.
Detected by antivirus and EDR; often needs obfuscation to avoid detection.
Open-source and widely used in red teaming and penetration testing.
Windows Credential Manager
Stores credentials (e.g., for network shares, websites) in a secure vault, not in LSASS memory.
Accessible to standard users without admin rights for their own stored credentials.
Cannot be used for pass-the-hash; credentials are encrypted and tied to the user's logon session.
Less likely to be targeted by attackers because it contains fewer high-value credentials.
Built into Windows; no additional tools needed for normal use.
Mistake
Mimikatz can extract passwords from the SAM file on disk.
Correct
Mimikatz's primary function is to extract credentials from LSASS memory, not the SAM file. The SAM file contains local account hashes, but it is locked by the system. Mimikatz can dump SAM via `lsadump::sam` but that requires SYSTEM privileges and is a separate command.
Mistake
Mimikatz requires SYSTEM privileges to work.
Correct
Mimikatz requires only administrative privileges (SeDebugPrivilege) to access LSASS. Local administrators have this privilege by default. SYSTEM is not required, though some commands (like `lsadump::sam`) do require SYSTEM.
Mistake
Pass-the-hash attacks require cracking the hash to get the plaintext password.
Correct
Pass-the-hash uses the NTLM hash directly to authenticate to network services. No cracking is necessary. The hash is used as the credential, bypassing the need for the plaintext password.
Mistake
Enabling LSA Protection (RunAsPPL) completely prevents Mimikatz from extracting credentials.
Correct
LSA Protection makes LSASS a Protected Process Light (PPL), which prevents non-PPL processes from accessing it. However, Mimikatz can bypass this by loading a signed driver (mimidrv.sys) or by using the `!+` command to elevate its own process to PPL level.
Mistake
Mimikatz only works on Windows 7 and older systems.
Correct
Mimikatz works on all Windows versions up to Windows 10/11 and Server 2022, provided that LSA Protection and Credential Guard are not enabled. On modern systems with these defenses, Mimikatz may require additional bypasses.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
`sekurlsa::logonpasswords` dumps all credential information including NTLM hashes, plaintext passwords (if available), and Kerberos tickets. `sekurlsa::msv` specifically dumps only NTLM hashes from the MSV1_0 authentication package. The latter is more focused and faster if you only need hashes for pass-the-hash attacks. For PT0-002, know that `logonpasswords` is the most comprehensive command.
No, Mimikatz must run locally on the target system with administrative privileges. It cannot remotely extract credentials from another machine's LSASS. However, you can use remote execution tools like PsExec or WMI to run Mimikatz on a remote system if you have admin credentials.
`privilege::debug` enables the SeDebugPrivilege for the Mimikatz process. This privilege is required to open a handle to LSASS with PROCESS_VM_READ access. Without it, Mimikatz cannot read LSASS memory and will fail. On systems with LSA Protection, you may also need `!+` to enable debug mode for PPL.
Pass-the-hash (PtH) uses the NTLM hash extracted from memory to authenticate to remote services without needing the plaintext password. In Mimikatz, the command `sekurlsa::pth /user:admin /domain:contoso /ntlm:<hash>` creates a new process with the user's token injected, allowing you to access network resources as that user. The hash is used directly in NTLM authentication.
Key defenses include: (1) LSA Protection (RunAsPPL) – makes LSASS a PPL, but can be bypassed with a driver. (2) Credential Guard – uses virtualization-based security to isolate LSASS, preventing any access even with admin rights. (3) Disabling WDigest – prevents plaintext storage. (4) Limiting who has administrative privileges. (5) Using Microsoft LAPS to randomize local admin passwords.
Pass-the-hash uses NTLM hashes to authenticate via NTLM protocol. Pass-the-ticket uses Kerberos tickets (TGTs or service tickets) to authenticate via Kerberos. PtH works against systems that accept NTLM authentication; PtT works against systems using Kerberos. PtT is often more stealthy because Kerberos tickets have a limited lifetime (default 10 hours for TGT) and can be renewed.
Mimikatz shows plaintext passwords when the WDigest authentication package is enabled and stores passwords in reversible form. WDigest is disabled by default on Windows 8.1/2012 R2 and later. If enabled (via registry), Mimikatz can extract cleartext passwords from LSASS memory. This is why disabling WDigest is a recommended security measure.
You've just covered Mimikatz and Credential Extraction — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?