Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

The ‘Katz’ Out of the Bag: Catching Mimikatz With Anomaly Detection

Mimikatz Has Become a Lethal Weapon for Attackers Seeking to Move Laterally Inside Corporate and Government Networks

Mimikatz Has Become a Lethal Weapon for Attackers Seeking to Move Laterally Inside Corporate and Government Networks

The origin story of Mimikatz — a post-exploitation module that has enabled criminals to steal millions of passwords around the world — reads like an over-the-top spy thriller. It began in 2011, when famed French programmer Benjamin Delpy re-entered his room at the President Hotel in Moscow to find a dark-suited stranger hastily typing away at his laptop. The man’s target was the subject of the presentation Delpy had come to Moscow to deliver: an early version of the powerful hacking program Delpy had named, quite misleadingly, after the French slang for “cute cats.” Yet the thief, who fled the room before Delpy could react, had failed to bypass the laptop’s login screen to steal Mimikatz.

The next year, Delpy returned to Moscow to speak at another conference, under the mistaken impression that state-sponsored attackers must have already learned how Mimikatz worked. The moment Delpy finished his talk, however, another dark-suited man accosted him and demanded a copy of Mimikatz on a USB drive. After handing over the USB, Delpy immediately released his code to the public, believing that defenders should understand the program that criminals were likely to use against them. Just like that, the cat was out of the bag.

Unlocking the password — for everything

Originally created by Delpy to highlight security flaws in Windows authentication mechanisms, today Mimikatz is a staple in the arsenal of cyber-criminals. Facilitating lateral movement across a victim’s network, Mimikatz was a primary feature of the global ransomware attacks NotPetya and BadRabbit, in addition to the alleged Russian hacking of the German parliament in 2015 and 2017. 

Among the primary vulnerabilities that Mimikatz exploits is Windows’ Local Security Authority Subsystem Service (LSASS). Designed to prevent users from having to reauthenticate each time they seek to access internal resources, LSASS works by keeping a cache of every credential used since the last boot. Despite its clear utility, LSASS presents a significant security risk thanks to Mimikatz, which plunders its cache to allow criminals to access all of these passwords in cleartext. 

Dumping LSASS memory is just one method that Mimikatz and its many updated versions employ to harvest credentials. Once malware such as NotPetya has established itself on a single device, the Mimikatz module can exploit a variety of security flaws to obtain the password information for any other users or computers that have logged onto that machine: the critical first step for both lateral movement and privilege escalation. And, as is common among successful hacker tools, Mimikatz has inspired the creation of other programs with similar functionality.

Advertisement. Scroll to continue reading.

Ending the cat-and-mouse game

At the most basic level, security teams can reduce vulnerability to Mimikatz —  and to lateral movement more generally — by ensuring that each user has the minimum amount of privileges needed for his or her role. But while this measure is certainly prudent, it will not always be effective, especially when dealing with sophisticated threats. Another strategy is to implement endpoint security tools and anti-virus software, which rely on rules and signatures to detect known Mimikatz variants. However, as Mimikatz and its copycats continue to evolve, these traditional tools are locked in a ceaseless cat-and-mouse game, unable to spot unknown variants of Mimikatz specifically designed to circumvent them.

As a fundamentally different approach to cyber defense, artificially intelligent security systems avoid this cat-and-mouse game by learning what constitutes normal behavior for the users and devices they safeguard. This approach alerts security teams to any anomalous activity, catching both known and unknown threats at their earliest stages. For instance, lateral movement involving Mimikatz is typically accompanied by a spike in unusual SMB activity, which advanced AI security tools flag as threatening without being programmed to do so in advance. By the time traditional tools become proficient at spotting this variant of Mimikatz, cyber-criminals will have inevitably revised their tactics.

Since its introduction to the cyber-threat landscape, Mimikatz has become a lethal weapon for attackers seeking to move laterally inside corporate and government networks. Much like the dark-suited agents who originally stole Mimikatz, the criminals who deploy it today will continue to evolve their tactics to achieve their malicious aims, highlighting the need for equally adaptable defenses to thwart Mimikatz and its copycats alike.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...