Security Experts:

The ‘Katz’ Out of the Bag: Catching Mimikatz With Anomaly Detection

Mimikatz Has Become a Lethal Weapon for Attackers Seeking to Move Laterally Inside Corporate and Government Networks

The origin story of Mimikatz — a post-exploitation module that has enabled criminals to steal millions of passwords around the world — reads like an over-the-top spy thriller. It began in 2011, when famed French programmer Benjamin Delpy re-entered his room at the President Hotel in Moscow to find a dark-suited stranger hastily typing away at his laptop. The man’s target was the subject of the presentation Delpy had come to Moscow to deliver: an early version of the powerful hacking program Delpy had named, quite misleadingly, after the French slang for “cute cats." Yet the thief, who fled the room before Delpy could react, had failed to bypass the laptop’s login screen to steal Mimikatz.

The next year, Delpy returned to Moscow to speak at another conference, under the mistaken impression that state-sponsored attackers must have already learned how Mimikatz worked. The moment Delpy finished his talk, however, another dark-suited man accosted him and demanded a copy of Mimikatz on a USB drive. After handing over the USB, Delpy immediately released his code to the public, believing that defenders should understand the program that criminals were likely to use against them. Just like that, the cat was out of the bag.

Unlocking the password — for everything

Originally created by Delpy to highlight security flaws in Windows authentication mechanisms, today Mimikatz is a staple in the arsenal of cyber-criminals. Facilitating lateral movement across a victim’s network, Mimikatz was a primary feature of the global ransomware attacks NotPetya and BadRabbit, in addition to the alleged Russian hacking of the German parliament in 2015 and 2017. 

Among the primary vulnerabilities that Mimikatz exploits is Windows’ Local Security Authority Subsystem Service (LSASS). Designed to prevent users from having to reauthenticate each time they seek to access internal resources, LSASS works by keeping a cache of every credential used since the last boot. Despite its clear utility, LSASS presents a significant security risk thanks to Mimikatz, which plunders its cache to allow criminals to access all of these passwords in cleartext. 

Dumping LSASS memory is just one method that Mimikatz and its many updated versions employ to harvest credentials. Once malware such as NotPetya has established itself on a single device, the Mimikatz module can exploit a variety of security flaws to obtain the password information for any other users or computers that have logged onto that machine: the critical first step for both lateral movement and privilege escalation. And, as is common among successful hacker tools, Mimikatz has inspired the creation of other programs with similar functionality.

Ending the cat-and-mouse game

At the most basic level, security teams can reduce vulnerability to Mimikatz —  and to lateral movement more generally — by ensuring that each user has the minimum amount of privileges needed for his or her role. But while this measure is certainly prudent, it will not always be effective, especially when dealing with sophisticated threats. Another strategy is to implement endpoint security tools and anti-virus software, which rely on rules and signatures to detect known Mimikatz variants. However, as Mimikatz and its copycats continue to evolve, these traditional tools are locked in a ceaseless cat-and-mouse game, unable to spot unknown variants of Mimikatz specifically designed to circumvent them.

As a fundamentally different approach to cyber defense, artificially intelligent security systems avoid this cat-and-mouse game by learning what constitutes normal behavior for the users and devices they safeguard. This approach alerts security teams to any anomalous activity, catching both known and unknown threats at their earliest stages. For instance, lateral movement involving Mimikatz is typically accompanied by a spike in unusual SMB activity, which advanced AI security tools flag as threatening without being programmed to do so in advance. By the time traditional tools become proficient at spotting this variant of Mimikatz, cyber-criminals will have inevitably revised their tactics.

Since its introduction to the cyber-threat landscape, Mimikatz has become a lethal weapon for attackers seeking to move laterally inside corporate and government networks. Much like the dark-suited agents who originally stole Mimikatz, the criminals who deploy it today will continue to evolve their tactics to achieve their malicious aims, highlighting the need for equally adaptable defenses to thwart Mimikatz and its copycats alike.

view counter
Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.