Mimikatz - Why Hackers Prefer this Post-Exploitation Tool

Mimikatz is a powerful tool used to retrieve cleartext passwords, along with password hashes, from memory. Cybercriminals widely use this post-exploitation tool for lateral movement within a network. Recently, the FBI and CISA released a joint alert against threat actors using Mimikatz to obtain login credentials from internet-facing domain controllers.

What happened?

In recent attacks, cybercriminals have been observed abusing Mimikatz to target state and federal agencies with weak or default credentials.
  • Researchers compiled data on 129 open-source offensive hacking tools and searched them with malware samples. They discovered that Mimikatz is mostly used for lateral movement.
  • A few weeks ago, TA505 APT compiled a version of the Mimikatz tool using the Microsoft Build Engine (MSBuild.Exe) that included exploit code for the ZeroLogon vulnerability (CVE-2020-1472).

How does it work?

  • The tool takes advantage of Windows Single Sign-On (SSO) functionality to collect credentials. In earlier versions of Windows 10, it exploited the WDigest feature by dumping memory and obtaining the passwords. 
  • This tool provides the ability to perform credential-gathering techniques, such as Pass-the-Hash/Ticket/Cache, Kerberos Golden/Silver Ticket, and Over-Pass the Hash.

Damage tracking

In early October, researchers developed techniques to chart how cybercriminals make use of offensive security tools. The chart shows the threat actors’ tendency for open-source offensive toolkits, such as Mimikatz and Metasploit.

Conclusion

This tool is primarily developed for penetration testers but is widely used by cybercriminals for malicious purposes. In order to defend against such attacks, users are recommended to harden the local security authority, turn off debug privileges, upgrade to the latest OS, and ensure each Windows box has a unique admin password.