What is Mimikatz?
Mimikatz (S0002) is an open-source tool that extracts authentication credentials from computer memory. It targets the Windows LSASS process to dump plaintext passwords and hashes.
Originally for security research, attackers now widely use it for credential theft. By enabling attacks like pass-the-hash, Mimikatz is a key post-exploitation tool for privilege escalation and lateral movement within a network, often preceding major ransomware attacks.
How to Defend Against Mimikatz?
A layered defense can effectively counter Mimikatz by protecting credentials and detecting its unique behaviors.
- Keep systems patched to limit initial access vulnerabilities.
- Enforce strong password policies and limit administrative privileges.
- Use network segmentation to contain potential lateral movement.
- Deploy endpoint detection to detect and block memory scraping attempts on LSASS.
- Use network detection (NDR) and integrated threat intelligence to continuously monitor and block known Mimikatz activity.
