Mimikatz

Posted: April 12, 2019

Mimikatz is a hacking tool that collects passwords and gives threat actors options for maintaining persistence on the system, such as escalating privileges up to admin. This Windows threat is seen on its own rarely but is deployable as a downloadable plugin and other methods that circumvent any preexisting anti-malware protection beforehand. Victims should turn off their network connections, have anti-malware products delete Mimikatz and all threats associated with it and re-secure all accounts and login credentials afterward immediately.

The Tool Holding the Door Open for Its Trojan Friends

Proof-of-concept and 'demonstrative' Trojans are a threatening area for even the most well-meaning of security researchers to be dabbling in, with the regular hijacking of them for hostile purposes. Utku Sen's Hidden Tear is one such case of software's recycling for crime instead of education, but Mimikatz, debatably, has an impact on the hacking scene with even more depth. Instead of delivering high-specificity attacks, Mimikatz gives an attacker access to credentials and account privileges for infecting new systems or improving infection persistence on already-infected ones.

Mimikatz is a Windows-only utility whose development in 2011 by Benjamin Delpy was, supposedly, only for demonstrating vulnerabilities for Microsoft's correction. However, since the code is available for free, threat actors are using it for a range of criminal activities that include both famously broad and niche, small-scale attacks against Windows environments. Since most security solutions would identify Mimikatz in its native format immediately, its inclusion is the first stage in an infection rarely, but, rather, part of a deeper payload that loads after the compromise of a computer and the disabling of its security solutions.

Modern builds of Mimikatz, after the verification of malware analysts, continue including multiple means of snatching credentials and positioning threat actors for misusing them through techniques such as:

Mimikatz may issue a command that forces Windows to output the passwords of all currently logged-in user accounts, as well as recently logged-in ones. A secondary method of collecting passwords involves domain controller impersonation, which tricks the Active Directory service into providing the credentials.
Mimikatz can use different techniques for giving the threat actor admin privileges, which assist with working around security solutions and file system access restrictions. It demonstrates this feature thoroughly with several 'pass-the-ticket' attacks that exploit weaknesses in Windows' default Kerberos authentication.
A minority of Mimikatz's features involve aggressive persistence functions like injecting corrupted code into the memory processes of other programs, disabling some security-related services, and exporting certificates for the threat actor's future misuse.

What Password Theft Evolves into When You Ignore It

Almost by definition, Mimikatz is alone in its attacks rarely since its entire purpose is for compromising credentials that give threat actors more access to your network and PC than they previously had. Although nearly all of Mimikatz's features are Windows-specific, it does have a 'pass-the-cache' feature that also affects Linux and Mac environments with the potential for login breaches. Since malware experts rate Windows 10 as being less vulnerable, if not impervious, to Mimikatz's payload, users with the willingness to upgrade their OS can protect their PCs that way.

Cases of Mimikatz assisting with hacking operations include the campaigns of file-locking Trojans like the LockerGoga Ransomware and the DBGer Ransomware that block media for ransom, along with cryptocurrency-mining Trojans that can destroy hardware. Some actions, such as limiting admin privileges, installing security patches that get rid of old vulnerabilities, and avoiding passwords that are easily brute-forcible, will provide further protection from any attacks. Suspected as compromised PCs should be disconnected from all networks and have anti-malware products scan them for removing Mimikatz and other Trojans immediately.

Mimikatz is to Trojan attacks what a sidearm is to open warfare: a fundamental tool that provides support after the main artillery does its damage. The only differentiation is that, instead of taking lives, it takes passwords, with potentially just as threatening results.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Mimikatz may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner*

* See Free Trial offer below. EULA and Privacy/Cookie Policy. * See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

SpyHunter Free Trial: Important Terms & Conditions

The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac, offering comprehensive malware detection and removal functionality, high-performance guards to actively protect your system from malware threats, and access to our technical support team via the SpyHunter HelpDesk (or the number of devices set forth in the promotional materials/purchase page). You will not be charged upfront during the Trial period, although a credit card is required to activate the Trial. (Prepaid credit cards, debit cards, and gift cards are not accepted under this offer.) The requirement for your payment method is to help ensure continuous, uninterrupted security protection during your transition from a Trial to a paid subscription should you decide to purchase. Your payment method will not be charged a payment amount upfront during the Trial, although authorization requests may be sent to your financial institution to verify that your payment method is valid (such authorization submissions are not requests for charges or fees by EnigmaSoft but, depending upon your payment method and/or your financial institution, may reflect on your account availability). You can cancel your Trial by contacting EnigmaSoft no later than two business days before the 7-day Trial period expires to avoid a charge coming due and being processed immediately after your Trial expires. If you decide to cancel during your Trial, you will immediately lose access to SpyHunter. If, for any reason, you believe a charge was processed that you did not wish to make (which could occur based on system administration, for example), you may also cancel and receive a full refund for the charge any time within 30 days of the date of the purchase charge. See FAQs.

At the end of the Trial, you will be billed upfront immediately at the price and for the subscription period as set forth in the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details) if you have not timely canceled. Pricing typically starts at $72 for 3 months (SpyHunter Pro Windows) and $42 for 3 months (SpyHunter for Mac). Your purchased subscription will be automatically renewed in accordance with the registration/purchase page terms, which provide for automatic renewals at the then applicable standard subscription fee in effect at the time of your original purchase and for the same subscription time period or as set forth in the promotion materials/purchase page, provided you’re a continuous, uninterrupted subscription user. Please see the purchase page for details. Trial subject to these Terms, your agreement to EULA/TOS, Privacy/Cookie Policy, and Discount Terms. If you wish to uninstall SpyHunter, learn how.

For payment on the automatic renewal of your subscription, an email reminder will be sent to the email address you provided when you registered before each payment date. At the onset of your trial, you will receive an activation code that is limited to use for only one Trial and for only one device per account. Your subscription will automatically renew at the price and for the subscription period in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details), provided that you are a continuous, uninterrupted subscription user. For paid subscription users, if you cancel, you will continue to have access to your product(s) until the end of your paid subscription period. If you wish to receive a refund for your then current subscription period, you must cancel and apply for a refund within 30 days of your most recent purchase, and you will immediately stop receiving full functionality when your refund is processed.

For CALIFORNIA CONSUMERS, please see the notice provisions:

NOTICE TO CALIFORNIA CONSUMERS: Per the California Automatic Renewal Law, you may cancel a subscription as follows:

Go to www.enigmasoftware.com and click the "Login" button at the top right corner.

In the navigation menu, go to "Order/Licenses." Next to your order/license, a button is available to cancel your subscription if applicable. Note: If you have multiple orders/products, you will need to cancel them on an individual basis.

Should you have any questions or problems, you can contact our EnigmaSoft support team by phone at +1 (888) 360-0646 (USA Toll-Free) / +353 76 680 3523 (Ireland/International) or by email at support@enigmasoftware.com.

How do you cancel a SpyHunter Trial? Users should contact EnigmaSoft Limited directly to cancel a SpyHunter Trial. Users can contact our technical support team by emailing support@enigmasoftware.com, opening a ticket in the SpyHunter HelpDesk, or calling +1 (888) 360-0646 (USA) / +353 76 680 3523 (Ireland/International). You can access the SpyHunter HelpDesk from SpyHunter's main screen. To open a support ticket, click on the "HelpDesk" icon. In the window that appears, click the "New Ticket" tab. Fill out the form and click the "Submit" button. If you are unsure of what "Problem Type" to select, please choose the "General Questions" option. Our support agents will promptly process your request and respond to you.

------

SpyHunter Purchase Details

You also have the choice of subscribing to SpyHunter immediately for full functionality, including malware removal and access to our support department via our HelpDesk, typically starting at $42 for 3 months (SpyHunter Basic Windows) and $42 for 3 months (SpyHunter for Mac) in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details). Your subscription will automatically renew at the then applicable standard subscription fee in effect at the time of your original purchase subscription and for the same subscription time period or as set forth in the promotion materials/purchase page, provided you’re a continuous, uninterrupted subscription user and for which you will receive a notice of upcoming charges before the expiration of your subscription. Purchase of SpyHunter is subject to the terms and conditions on the purchase page, EULA/TOS, Privacy/Cookie Policy and Discount Terms.

------

General Terms

Any purchase for SpyHunter under a discounted price is valid for the offered discounted subscription term. After that, the then applicable standard pricing will apply for automatic renewals and/or future purchases. Pricing is subject to change, although we will notify you in advance of price changes.

All SpyHunter versions are subject to your agreeing to our EULA/TOS, Privacy/Cookie Policy, and Discount Terms. Please also see our FAQs and Threat Assessment Criteria. If you wish to uninstall SpyHunter, learn how.