What is Mimikatz?

Updated on August 29, 2025

Mimikatz has earned its reputation as one of the most powerful and widely-used post-exploitation tools in cybersecurity. Developed by Benjamin Delpy, this open-source utility has become essential for both malicious actors and ethical red teamers worldwide.

At its core, Mimikatz extracts credentials from the memory of Windows systems. This capability makes it a critical tool for lateral movement, privilege escalation, and persistence in compromised networks. Understanding how Mimikatz operates is essential for network defenders and cybersecurity professionals who need to detect, prevent, and mitigate its use.

This technical overview examines Mimikatz’s functionality, key modules, and the security mechanisms designed to counter its capabilities. Whether you’re conducting penetration tests or strengthening your organization’s defenses, this guide provides the technical foundation you need.

Definition and Core Concepts

Mimikatz is an open-source command-line tool written in C. Its primary function centers on extracting sensitive authentication data directly from Windows memory. This includes plaintext passwords, NTLM hashes, and Kerberos tickets stored in the Local Security Authority Subsystem Service (LSASS) process.

Understanding several key concepts is essential for grasping how Mimikatz operates:

• Local Security Authority Subsystem Service (LSASS) serves as a critical Windows process that manages security policies and user authentication. LSASS stores credentials in memory to facilitate single sign-on (SSO) and handle authentication for logged-on users. This makes it a prime target for credential extraction tools.
• Credential dumping refers to the act of extracting a user’s authentication credentials from a computer’s memory or storage. Mimikatz specializes in this technique, particularly when targeting LSASS memory structures.
• Pass-the-Hash (PtH) represents an attack technique where an attacker uses a user’s NTLM password hash to authenticate to a network service. The attacker never needs to know the plaintext password. Mimikatz serves as a primary tool for facilitating this attack method.
• Pass-the-Ticket (PtT) involves extracting and reusing a user’s Kerberos Ticket-Granting Ticket (TGT) to access network resources. This technique allows attackers to impersonate users without needing their password or hash.

How Mimikatz Works

Mimikatz operates by interacting directly with the LSASS process in compromised Windows systems. The tool typically requires elevated privileges such as Administrator or SYSTEM access to succeed.

The process begins with gaining access. Mimikatz first needs sufficient permissions to read the memory of the protected LSASS process. Attackers often achieve this through privilege escalation techniques on the target machine.

Once elevated privileges are obtained, Mimikatz proceeds with memory access. The tool uses documented Windows APIs and memory structures to access the LSASS process. It specifically targets memory locations where authentication packages like msv1_0.dll (for NTLM) and kerberos.dll (for Kerberos) store credentials.

The final step involves parsing and extraction. Mimikatz parses these memory structures to identify and extract various types of credentials. The tool can retrieve plaintext passwords if the WDigest protocol is enabled, NTLM hashes, and session keys and tickets associated with Kerberos authentication.

Key Features and Components

Mimikatz operates as a modular tool with several key components designed for different attack vectors. Each module serves specific purposes in the credential extraction and abuse process.

• The sekurlsa module stands as the most well-known component, used for credential dumping from the LSASS process. The sekurlsa::logonpasswords command serves as a staple for extracting various credential types from system memory.
• The kerberos module focuses specifically on attacks against the Kerberos protocol. Security professionals can use it to export Kerberos tickets with kerberos::list /export, inject them into a session using kerberos::ptt, and forge Golden Tickets for persistent domain-wide access.
• The lsadump module handles various attacks against the Local Security Authority (LSA) database. This includes credential extraction and performing DCSync attacks against domain controllers.
• The privilege module serves as a necessary component for many operations. It escalates privileges to SeDebugPrivilege, which is required to access the LSASS process memory structures.
• Use Cases and Applications

Mimikatz serves multiple purposes in the post-exploitation phase of security assessments and attacks. Understanding these use cases helps security professionals prepare appropriate defenses.

• Lateral movement represents a primary use case where attackers dump credentials from one compromised machine and use them to authenticate to other systems on the network. This technique allows for network traversal without additional exploitation.
• Privilege escalation occurs when attackers dump credentials of privileged users to escalate their access from low-privilege accounts to domain administrator level. This dramatically increases the scope of potential damage.
• Persistence involves forging Kerberos Golden Tickets or other long-lived credentials. This allows attackers to maintain a persistent presence in networks even if their initial access is detected and remediated.
• Security testing by red teamers and penetration testers uses Mimikatz to simulate real-world attacks. This helps identify misconfigurations and test the effectiveness of security controls such as endpoint detection and response (EDR) solutions.

Security Mechanisms and Mitigation Strategies

Modern Windows systems include several security mechanisms designed to mitigate Mimikatz and similar credential extraction tools.

• LSA Protection became available starting with Windows Server 2012 R2 and Windows 8.1. This feature prevents non-privileged processes from accessing LSASS memory, significantly hindering basic Mimikatz operations.
• Credential Guard provides virtualization-based security that isolates and hardens LSASS. This makes it significantly more difficult for tools like Mimikatz to extract credentials from protected systems.
• Detection capabilities allow organizations to identify Mimikatz usage by monitoring specific behaviors. These include processes attempting to open handles to LSASS, command-line execution patterns, and file hashes associated with the tool.
• Effective mitigation strategies include limiting privileged access through principle of least privilege, disabling WDigest authentication, implementing robust EDR and behavioral analytics, and adopting a tiered administrative model for sensitive operations.

Key Terms Reference

Understanding these terms helps security professionals communicate effectively about Mimikatz-related threats:

• LSASS: The Local Security Authority Subsystem Service, a Windows process that handles authentication and stores credentials in memory.
• Credential Dumping: The process of extracting credentials from a system’s memory or storage locations.
• Pass-the-Hash (PtH): An attack technique that uses an NTLM hash for authentication instead of requiring the plaintext password.
• Pass-the-Ticket (PtT): An attack technique that uses a stolen Kerberos ticket for network authentication.
• Golden Ticket: A forged Kerberos Ticket-Granting Ticket (TGT) that grants attackers indefinite, full-privilege sessions as domain administrators.
• Lateral Movement: The technique of moving from one compromised system to another within a network infrastructure.
• sekurlsa: The primary Mimikatz module used for credential dumping from the LSASS process.