Mimikatz is an open-source credential extraction tool created by Benjamin Delpy that can extract plaintext passwords, NTLM hashes, Kerberos tickets, and perform pass-the-hash, pass-the-ticket, and Golden Ticket attacks against Windows authentication. It is used by both penetration testers and threat actors in virtually every major breach.

Mimikatz

Mimikatz (also known as Mimikatz, Katz) is a security tool / technique active since 2011. Windows credential extraction tool. Key characteristics include: LSASS credential dumping, pass-the-hash, Kerberos ticket extraction, DCSync, golden ticket attacks.

Overview & Background

Windows credential extraction tool. First identified in 2011, this threat is attributed to Benjamin Delpy (open source).

Threat Assessment

Mimikatz remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this security tool / technique.

Category: Security Tool / Technique
Active since: 2011
Attribution: Benjamin Delpy (open source)
Also known as: Mimikatz, Katz

Technical Analysis

Mimikatz employs the following capabilities and techniques:

Lsass Credential Dumping: Core functionality
Pass-The-Hash: Core functionality
Kerberos Ticket Extraction: Core functionality
Dcsync: Core functionality
Golden Ticket Attacks: Core functionality

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1566.001 Phishing Attachment	Common delivery vector
Execution	T1204.002 Malicious File	User-triggered execution
Persistence	T1547.001 Registry Run Keys	Autostart persistence
Defense Evasion	T1027 Obfuscated Files	Payload obfuscation
C2	T1071.001 Web Protocols	HTTP/HTTPS C2

Detection & Defense

Endpoint detection: Deploy behavioral detection rules for Mimikatz indicators
Network monitoring: Monitor for C2 traffic patterns and anomalous connections
Threat intelligence: Track Mimikatz IOCs and campaign updates
Security awareness: Train users to recognize phishing and social engineering
Patch management: Keep systems updated to prevent exploitation

Defend Against Mimikatz

Mjolnir Security provides detection and response capabilities against Mimikatz and similar threats.

Threat DetectionIncident ResponseThreat HuntingMDR ServicesThreat Intelligence

Proactive Threat Hunting Hunt for Mimikatz indicators and TTPs within your environment.
Threat Intelligence Monitor Mimikatz campaigns and infrastructure changes.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: June 16, 2025

Overview & Background

Technical Analysis

MITRE ATT&CK Mapping

Detection & Defense

Defend Against Mimikatz

Cobalt Strike: Adversary's Arsenal

Metasploit Framework