What Is Mimikatz: Credential Dumping, Techniques and Detection in 2026

Mimikatz is an open-source post-exploitation tool created by Benjamin Delpy in 2007, designed to extract credentials (passwords, NTLM hashes and Kerberos tickets) directly from the memory of the LSASS process on Windows systems. Since its public release it has become a standard pivot in any red team operation against Active Directory and, at the same time, one of the pieces most frequently seen in real intrusions investigated over the past decade.

This guide covers what Mimikatz actually does under the hood, the modules that appear again and again in post-exploitation reports (sekurlsa, lsadump, kerberos, crypto), how it fits into authorized red team operations, how a modern EDR or SIEM detects it, and which controls actually reduce blast radius once an attacker reaches the endpoint. It is written for blue teams, red teams and security leaders who need to understand the Mimikatz footprint without marketing fluff.

Mimikatz at a glance

• It has been the reference tool for dumping Windows credentials from memory for almost two decades.
• It works primarily against the LSASS process, where the operating system holds reusable authentication material.
• It enables Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket and DCSync attacks without obvious network noise.
• Detection requires combining endpoint telemetry (Sysmon, EDR), Active Directory events and behavior-based rules.
• Effective mitigation relies on LSA Protection, Credential Guard, the tier model and removing legacy protocols.

What Is Mimikatz: Origin and Purpose

Mimikatz began in 2007 as a personal project of Benjamin Delpy, a French engineer known in the community as gentilkiwi. The origin was a demonstration: Delpy wanted to prove that the Windows WDigest security provider was holding plaintext passwords inside the operating system memory, something Microsoft considered acceptable for compatibility reasons. Publishing the tool turned a design detail into a massive operational risk and forced deep changes to the Windows credential model from Windows 8.1 and Server 2012 R2 onward.

The tool is dual by design. It is at once a research project documented on GitHub under gentilkiwi/mimikatz and a standard weapon in the arsenal of APT actors and ransomware operators. That ambiguity is not accidental: Delpy has publicly defended keeping the code open as a way of forcing vendors to fix the weaknesses of the credential model instead of hiding them.

Its industry penetration is significant. Mimikatz is integrated into Metasploit through the kiwi module of Meterpreter, ships embedded in Cobalt Strike as a built-in mimikatz command runnable inline from a Beacon, appears as a dependency or reference in frameworks like Empire, PoshC2, Brute Ratel and Sliver, and is periodically rewritten in other languages to evade signatures (Pypykatz in Python, SafetyKatz, Invoke-Mimikatz in PowerShell). Any serious red team consultancy assumes the client will see attempts to execute Mimikatz or its derivatives at some point during the engagement, and designs the exercise around that reality.

How It Works Technically: LSASS and WDigest

To understand Mimikatz you first need to understand how Windows stores reusable authentication material. The key component is LSASS (Local Security Authority Subsystem Service), the user-mode process that enforces local security policies, validates logon attempts and keeps credentials in memory so the operating system can provide single sign-on within the interactive user session.

When a user logs into a Windows machine, LSASS receives their credentials and stores them internally so that the Security Support Providers (SSPs) can reuse them without prompting again. Historical providers include NTLM, Kerberos, Digest, WDigest, CredSSP, TsPkg and LiveSSP. Some need only hashes, but others, notably WDigest before 2013, kept the cleartext password inside the process memory to support HTTP Digest authentication.

The historic shift came with KB2871997 and the changes introduced in Windows 8.1, Server 2012 R2 and later releases: WDigest became disabled by default, and the registry key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential controls whether plaintext caching returns. In practice, a decade later, there are still legacy systems where WDigest remains enabled for compatibility or where an attacker with sufficient privileges re-enables it temporarily to force the user to re-authenticate and capture the cleartext password.

Even when WDigest is not the universal vector it was in 2014, LSASS still holds NTLM hashes, Kerberos keys (AES128, AES256 and RC4 keys derived from the password) and active TGT and TGS tickets in memory. Any process holding the SeDebugPrivilege right can open a handle to the LSASS process, read its memory and reconstruct those structures. That is exactly what Mimikatz does: it does not exploit a classic vulnerability, it abuses a documented design model.

Key Mimikatz Modules

Mimikatz is organized into modules invoked with the syntax module::command. The full list runs to dozens, but the modules below concentrate more than 90% of offensive and defensive use.

sekurlsa::logonpasswords

The best-known command. It reads LSASS memory and extracts, for every active session, NTLM hashes, Kerberos keys and, when WDigest is enabled, cleartext passwords for every user with an active session. Its typical output includes the interactive user of the machine, service accounts that have passed through the host and, on jump servers or terminal servers, dozens of reusable identities at the same time. Standard invocation with local administrator privileges:

privilege::debug
sekurlsa::logonpasswords

It is the first step in most lateral movement chains inside Active Directory.

sekurlsa::pth

Implements Pass-the-Hash. Given an NTLM hash extracted in the previous step, it launches a new process (typically cmd.exe or powershell.exe) impersonating that identity without knowing the cleartext password. It lets the attacker operate on the network as the compromised user against any service that accepts NTLM authentication (SMB, WMI, RDP in specific scenarios).

sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0

One of the oldest techniques that still works in environments without proper segmentation.

sekurlsa::tickets

Dumps every Kerberos ticket held in LSASS memory, including active TGT and TGS for every session. The tickets are exported in .kirbi format and can be re-imported on another machine using kerberos::ptt to perform Pass-the-Ticket, impersonating the original ticket holder against Kerberos services until the ticket expires.

sekurlsa::tickets /export

Useful for escalating laterally without touching passwords, especially against service accounts whose NT hash is not trivial to crack but whose TGT lives in the memory of an accessible server.

lsadump::sam

Extracts the hashes of local accounts from the system's SAM (Security Account Manager). Requires SYSTEM to access the registry keys involved. It is typically the first step when a workstation is compromised: obtain the local administrator hash to reuse it across the rest of the estate when password rotation is inadequate (a problem LAPS solves when deployed correctly).

privilege::debug
token::elevate
lsadump::sam

lsadump::dcsync

Probably the most destructive command. It implements the MS-DRSR protocol and impersonates a domain controller to request credential replication. Starting from an account holding the Replicating Directory Changes, Replicating Directory Changes All and Replicating Directory Changes In Filtered Set privileges, it remotely downloads the NT hashes of any domain user, including krbtgt. It does not require running code on the DC nor leaving binaries on it.

lsadump::dcsync /domain:contoso.local /user:krbtgt

Obtaining the krbtgt hash enables Golden Tickets; obtaining the hash of any admin enables full compromise. This is the piece that turns a misconfigured ACL into a full domain takeover.

kerberos::golden

Forges a Golden Ticket: an arbitrary TGT signed with the NT hash of the krbtgt account. It allows the attacker to issue tickets as any user in the domain, with whatever group membership the attacker chooses, valid for up to ten years. If the krbtgt account is not rotated, a Golden Ticket issued today keeps working indefinitely.

kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-... /krbtgt:HASH /ticket:golden.kirbi

This is APT-grade domain persistence and the reason why double rotation of krbtgt every 6 to 12 months is a critical control.

kerberos::silver

Forges a Silver Ticket: an arbitrary TGS for a specific service, signed with the NT hash of the service account associated with the SPN. Unlike a Golden Ticket, a Silver Ticket does not touch the DC at use time, which makes it particularly stealthy. It only grants access to the service whose hash has been captured, but against an MSSQL instance or a critical share that may be enough.

kerberos::golden /service:cifs /target:fileserver01 /rc4:HASH /user:Administrator ...

Appears in silent persistence operations against sensitive services.

crypto::certificates

Extracts certificates and their private keys from the Windows store, including certificates marked as non-exportable. It has direct impact on internal PKI infrastructures: a captured machine authentication certificate or smart card certificate can be reused against any service that accepts it. Combined with misconfigured ADCS (the ESC1-ESC11 family of attacks), it opens escalation paths to Domain Admin without touching LSASS at all.

crypto::capi
crypto::certificates /export

Legitimate Use in Red Team and Pentesting

Mimikatz has clear legitimate use when executed inside an operation authorized in writing. Red team operations and internal pentests against Active Directory need to demonstrate the real impact of a compromise, and that means reproducing the same techniques an advanced attacker would use, including extracting credentials from endpoints compromised during the test.

The formal frameworks under which it appears are consistent. TIBER-EU and DORA TLPT for European financial entities require tests using realistic TTPs mapped to recent threat intelligence, and credential dumping with Mimikatz or its derivatives is catalogued in MITRE ATT&CK under T1003 OS Credential Dumping, sub-techniques T1003.001 LSASS Memory and T1003.006 DCSync, among others. Any serious exercise in European banking is going to touch those techniques.

Operational requirements when using Mimikatz legitimately are strict. There must be a signed contract with explicit scope over the authorized domains and machines, an agreed time window, a direct communication channel with the client to stop the operation if anything escalates out of control, preservation of logs of the tools used, and documented custody of the credentials extracted during the exercise (ideally encrypted and deleted after the report is delivered). Without those controls, running Mimikatz against third-party infrastructure, even to "demonstrate the problem", is a criminal offense under Article 197 bis of the Spanish Criminal Code and equivalent provisions across the European Union.

The line between legitimate and illegitimate use is not drawn by the tool. It is drawn by written authorization, scope and traceability.

Mimikatz in Real Attacks: APTs and Ransomware Operators

The catalogue of actors that have used Mimikatz in documented operations is long. APT28 (attributed to Russian GRU) and APT29 (attributed to Russian SVR) appear in public FBI and CISA reports using Mimikatz for lateral movement in intrusions against European and US government agencies. Lazarus Group (attributed to North Korea) has used it in campaigns against the financial and crypto-assets sector.

In the ransomware ecosystem, the use is essentially universal. Affiliates of Conti, LockBit, BlackCat/ALPHV, Royal, Black Basta and Akira documented by incident responders have used Mimikatz or variants as part of the standard playbook between initial access and payload deployment. The typical chain that appears in DFIR reports follows a repeated sequence: initial access via phishing or perimeter appliance exploitation, local escalation on the first endpoint, Mimikatz execution against LSASS to obtain additional credentials, Active Directory discovery with BloodHound, escalation to Domain Admin via DCSync or Golden Ticket, ransomware deployment across the entire domain.

The point worth emphasizing is that Mimikatz is rarely the initial vector. It is the multiplier. Defensive investment yields more by closing initial access and hardening post-exploitation than by chasing the mimikatz.exe binary with static signatures that any moderately competent operator evades in minutes.

Detection with EDR and SIEM

Modern Mimikatz detection is not built on finding the binary. It is built on chasing the behavior. The techniques below produce the most value in production:

• LSASS process handle access (Sysmon EventID 10 ProcessAccess). Any process opening lsass.exe with rights 0x1010 or 0x1410 is highly suspicious. It is the cleanest footprint of Mimikatz access to subsystem memory. Public Sigma rules (proc_access_win_lsass_dump.yml and derivatives) cover the pattern.
• MiniDumpWriteDump calls against lsass.exe. Modern variants do not use Mimikatz directly; instead they generate an LSASS memory dump using the legitimate Windows API and then process the .dmp offline with Pypykatz or Nanodump. Mature EDRs instrument that API and alert regardless of the binary invoking it.
• Cobalt Strike Beacon executing inline mimikatz. When a Beacon runs the built-in mimikatz command, the endpoint pattern includes reflective injection inside the Beacon process, LSASS access from an unexpected process (typically rundll32.exe or a LOLBAS binary) and outbound C2 traffic with characteristic timing. Cobalt Strike-specific EDR rules capture the combination.
• Mass enumeration of Kerberos tickets (anomalous Windows Event 4769). Sudden spikes of TGS requests from a single host toward many service accounts suggest Kerberoasting or enumeration prior to Silver Ticket usage. SIEM rules with per-user baselining detect the pattern.
• DCSync detection (Windows Event 4662 with Object Type GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 or 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2). Any account that is not a domain controller triggering that event against the domain object is performing replication, and that is almost always DCSync. One of the rules with fewest false positives against Mimikatz.
• AMSI signatures and bypass detection. Mimikatz and its PowerShell variants (Invoke-Mimikatz, SafetyKatz) usually attempt AMSI bypass before loading. Detecting the bypass pattern (manipulation of amsiInitFailed, in-memory patching of amsi.dll) is more effective than detecting the mimikatz string directly.
• Hunting for unexpected child processes of lsass.exe. LSASS should not spawn child processes in normal operation. Any child process is a clear sign of tampering.
• Behavior analytics over Active Directory. A workstation that suddenly queries the global catalog, enumerates privileged groups and requests TGS for sensitive service accounts is outside its normal profile. UEBA in the SIEM catches the pattern when static rules fall short.

Layered detection is the only one that holds up against serious operators. A single rule, no matter how good, gets evaded.

Effective Mitigation

The mitigations that actually reduce Mimikatz's blast radius are all documented and most of them ship at no additional cost with Windows licenses already paid for:

• LSA Protection (RunAsPPL). Enabling RunAsPPL in the registry turns LSASS into a Protected Process Light, which prevents any unsigned process from opening a read handle on its memory. Mimikatz without a specific bypass fails. Bypasses exist (vulnerable drivers, Mimikatz !+ with mimidrv.sys), but the bar rises noticeably.
• Credential Guard. Available from Windows 10 Enterprise and Server 2016, it isolates LSASS inside a virtualization-based container (VBS) managed by Hyper-V. NTLM credentials and TGTs live inside the enclave and are inaccessible from the operating system, even with SYSTEM. It is the strongest mitigation available against endpoint credential dumping.
• Remove the WDigest cache (KB2871997 and later). Make sure UseLogonCredential is set to 0 or absent, and monitor any change. Closes cleartext password capture from LSASS.
• Restrict SeDebugPrivilege. The debug privilege is what allows opening arbitrary handles against system processes. Reviewing the Debug programs policy and keeping it limited to strictly necessary administrators reduces the attack surface.
• Administrative tier model (T0, T1, T2). Strict separation between domain accounts (T0), server administration accounts (T1) and workstation administration accounts (T2). A domain administrator who never places their credential on a T2 endpoint leaves no reusable material that Mimikatz can extract from there.
• LAPS (Local Administrator Password Solution or modern Windows LAPS). Automatic rotation of unique local administrator passwords per machine. Turns classic Pass-the-Hash from a compromised workstation against the rest of the estate into an unworkable technique.
• Zero trust models on Active Directory. The Protected Users group forces Kerberos without RC4, disables NTLM and restricts delegation for included users. Authentication silos and authentication policies bind privileged credentials to specific hosts. Both drastically reduce what an extracted hash is worth.
• Attack surface reduction. Disable legacy protocols (NTLMv1, SMBv1, LLMNR, NBT-NS), enforce SMB signing and LDAP signing, and remove service accounts with weak SPN passwords. Closes the channels where an extracted hash gets reused.

No single control stands alone. Defense against Mimikatz is layered and depends as much on the endpoint as on the domain design.

Mimikatz Alternatives and Derivatives

The original mimikatz.exe binary is signed by every EDR solution on the market, and any unmodified copy gets blocked before executing on a protected endpoint. This does not mean the problem is closed. The derivative ecosystem is wide:

• Pypykatz: pure Python reimplementation, frequent in operations where Python runs over WSL, on a Linux server with access to an LSASS dump, or as a library for exploitation frameworks.
• lsassy: client that dumps LSASS remotely using multiple techniques (procdump, comsvcs.dll, dllinject) and parses offline with Pypykatz.
• Nanodump: lightweight utility that generates LSASS dumps while evading most EDRs through techniques such as handle duplication, direct syscalls and process forks.
• SafetyKatz and Invoke-Mimikatz: PowerShell versions with built-in AMSI bypass.
• Full frameworks like Cobalt Strike, Brute Ratel and Sliver carry equivalent functionality natively without depending on the external binary.

The operational implication is clear: detecting and blocking the Mimikatz binary closes the clumsiest case, but the techniques are now commodity. Effective defense looks at LSASS behavior and replication traffic against DCs, not at the executable name.

Fit with Regulatory Frameworks

Mimikatz appears explicitly in several reference frameworks that apply to Spanish and European companies. In MITRE ATT&CK, the main technique is T1003 OS Credential Dumping with sub-techniques T1003.001 (LSASS Memory), T1003.002 (Security Account Manager), T1003.004 (LSA Secrets), T1003.005 (Cached Domain Credentials) and T1003.006 (DCSync). Any serious detection program measures coverage against those techniques with real telemetry, not assumptions.

Within the European regulatory framework, NIS2 (Article 21) requires technical and organizational measures for incident management, access control and identity management. An environment where Mimikatz works trivially because LSA Protection is disabled, Credential Guard is not deployed and there is no separation of privileged accounts will not pass a serious audit. ISO 27001:2022 covers it mainly under control A.5.16 Identity management and controls A.8.5 Secure authentication, A.8.7 Protection against malware and A.5.7 Threat intelligence, all relevant to supporting the defensive posture against credential dumping. For financial entities, DORA and the associated TLPT exercises include credential dumping in the mandatory TTP catalogue to simulate.

Demonstrating resistance to Mimikatz, not on paper but with recent technical evidence, is part of any mature compliance file under the frameworks above.

Frequently Asked Questions

Is it illegal to download Mimikatz?

Downloading the binary or source code from the public GitHub repository is not illegal in Spain or the European Union. The tool is published for research purposes and used daily in training, labs and offensive certifications. What is criminal, under Article 197 bis of the Spanish Criminal Code, is executing it against systems for which the operator has no written authorization from the owner. The boundary is not the file, it is the explicit authorization and the operation's scope.

Does Mimikatz work on fully patched Windows 11?

Yes, with caveats. Mimikatz still runs against current Windows 11 and Server 2022, but modern protections (LSA Protection, Credential Guard, VBS) block the classic LSASS modules when enabled. In environments without those protections active, behavior is practically identical to Windows 7. Specific bypasses for Credential Guard and RunAsPPL are publicly documented, but they raise the operational bar and the detection risk significantly.

What is the difference between Mimikatz and Pypykatz?

Mimikatz is the original, written in C, runs directly on Windows and needs interactive access to the system. Pypykatz is a pure Python reimplementation that parses LSASS structures from a memory dump (a .dmp file generated beforehand with any tool). Pypykatz allows offline credential processing, scripting and operation from Linux. Functionally they overlap broadly in sekurlsa and lsadump, although Mimikatz has more modules (notably interactive kerberos::golden and the entire crypto area).

Will my commercial EDR detect Mimikatz?

EDRs from Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, Palo Alto Cortex and similar vendors detect and block the standard Mimikatz binary and most known public variants. Behavior-based detection on LSASS access is also mature. What they do not reliably detect are ad-hoc obfuscated derivatives, dump techniques using direct syscalls, or operators with refined tradecraft. The real coverage level is only measured with purple team exercises that validate the rules against real TTPs.

Can I use Mimikatz in my own lab?

Yes, without restriction as long as the systems involved are owned by the user and isolated from production networks. Setting up an Active Directory domain on virtual machines and practicing sekurlsa::logonpasswords, DCSync and Golden Ticket is the standard way to learn. Public labs like Hack The Box and TryHackMe, and the environments of certifications such as OSCP, OSEP and CRTP, include Mimikatz as part of the syllabus and are legitimate ground.

How does Mimikatz relate to ransomware attacks?

Mimikatz appears almost systematically in the playbooks of modern ransomware affiliates such as Conti, LockBit, BlackCat, Royal or Akira. The typical chain: initial access via phishing or perimeter exploitation, local escalation, Mimikatz execution against LSASS to obtain additional credentials, domain discovery with BloodHound, escalation to Domain Admin via DCSync, payload deployment across the entire AD. Effectively closing credential dumping turns complete ransomware chains into intrusions contained to a single endpoint.

Related Resources

• Kerberos attacks in Active Directory: the context in which Mimikatz forges Golden Tickets, Silver Tickets and executes DCSync.
• What is red team: business guide: the type of operation within which Mimikatz is run with proper authorization.
• What is MITRE ATT&CK: the framework that catalogues T1003 OS Credential Dumping and its sub-techniques.
• What is PKI: the certificate context that Mimikatz can extract with crypto::certificates.
• What is EDR: the endpoint control that detects LSASS-related behavior.
• What is SIEM: the platform where the relevant 4662, 4769 and Sysmon EID 10 events are centralized.
• What is ethical hacking: the professional framework under which tools like Mimikatz are used legitimately.

Validate Defensive Posture with Secra

At Secra we run adversarial audits over Active Directory focused on credential dumping and lateral movement: simulation of real TTPs with Mimikatz, Cobalt Strike and modern derivatives in previously authorized environments, purple team validation of detections on LSASS and DCSync, review of LSA Protection and Credential Guard deployment, audit of the administrative tier model and full mapping of findings to MITRE ATT&CK with prioritized remediation. If your organization wants to measure today how costly it would be for an attacker holding a compromised endpoint to reach Domain Admin, or needs to evidence resistance to credential dumping for NIS2, DORA or ISO 27001:2022, get in touch through contact.