Mimikatz
Mimikatz is a widely used open-source post-exploitation and credential access tool for Windows that is repeatedly referenced in the content as being used to dump credentials from LSASS memory, including via the sekurlsa::logonpasswords function. The content also references additional Mimikatz capabilities including pass-the-hash, pass-the-ticket, Golden Ticket abuse, DCSync (lsadump::dcsync), token elevation, and patching Remote Desktop with ts::multirdp. It is used both as a red-team tool and by threat actors in real intrusions.
The content directly associates Mimikatz with credential dumping from LSASS (MITRE ATT&CK T1003/T1003.001), often requiring administrative or SYSTEM privileges. Multiple examples show execution as mimikatz.exe, reflective or in-memory loading through PowerShell scripts, and use in lab, detection, and intrusion scenarios. Defenders are advised in the content to monitor Sysmon Process Access events involving lsass.exe, suspicious strings such as mimikatz, and related process chains.
Threat activity in the content links Mimikatz to several actors and campaigns. Palo Alto Networks Unit 42 reported that the Chinese-speaking cluster CL-STA-1062, overlapping with Cisco Talos' UAT-7237, used Mimikatz alongside SoftEther VPN, VNT, Yuze, and JuicyPotato while targeting Southeast Asian government entities and state-owned energy infrastructure from at least 2022 through 2025. Symantec also described a small opportunistic cybercrime operation in which attackers used PowerShell-delivered Mimikatz variants to dump credentials after PsExec-based access. The Makop ransomware gang is also described as using Mimikatz as part of its intrusion toolkit.
The content also describes a modified embedded Mimikatz payload delivered through DLL search order hijacking: a malicious MSVCR100.dll loaded by Oracle-signed unpack200.exe decrypted and launched a modified Mimikatz 2.1.1 instance for credential theft. In that case, the malware authors removed the standard banner and changed the command-line output string from mimikatz (command line) to bing (command line) to reduce obvious detection.
High-confidence indicators and artifacts directly mentioned in the content include the executable name mimikatz.exe, common command strings such as privilege::debug sekurlsa::logonpasswords, sekurlsa::pth, lsadump::dcsync, and ts::multirdp, and the modified output string bing (command line) in the unpack200/MSVCR100.dll case.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
15 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In May 2022, the Cybersecurity and Infrastructure Security Agency (CISA) reported that a Russian state-sponsored group was exploiting PrintNightmare, CVE-2021-34527. This exploit enabled the threat actor to access cloud and email accounts and exfiltrate documents. CISA lists this CVE in its Known Exploited Vulnerabilities catalog.
Security researchers, including Unit 42, have documented the use of coercion tools such as PetitPotam (CVE-2021-36942) in actual attacks. Microsoft has issued security advisories acknowledging the exploitation potential of this CVE.
Latest commit gentilkiwi [new] mimikatz lsadump::postzerologon, to reinit DC password both in …
Kaspersky researchers revealed ... the attackers exploit Internet-exposed Fortigate SSL VPN servers unpatched against the CVE-2018-13379 vulnerability ... The FBI and CISA warned ... APT actors scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379 exploits ... Fortinet also warned customers to patch their appliances against the CVE-2018-13379 ... "CVE-2018-13379 is an old vulnerability resolved in May 2019"
Earth Longzhi reimplemented some modules of Mimikatz ... as standalone binaries. ... We call this technique "Bring-Your-Own Mimikatz."
Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving exploitation of CVE-2025-59718 against a vulnerable FortiGate appliance. In December 2025, Fortinet disclosed this improper verification of cryptographic signature vulnerability that facilitates an SSO login bypass on affected appliances.
Threat actors are suspected to be exploiting a maximum-severity security flaw impacting Quest KACE Systems Management Appliance (SMA) ... malicious activity ... consistent with the exploitation of CVE-2025-32975 on unpatched SMA systems exposed to the internet. CVE-2025-32975 (CVSS score: 10.0) refers to an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials.
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..."
"...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
"...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..." | Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 ... Security firm Volexity spotted hackers targeting Exchange servers on Jan. 3, when it saw CVE-2021-26855 being exploited.
Previously, Eset reported that about five APT groups has been exploiting the four Exchange vulnerabilities - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | "...installed a variety of Mimikatz malware, which is used as a post-exploitation tool to steal passwords from memory..."
Attackers combine this with credential theft (Mimikatz/Pypykatz), lateral movement (Cobalt Strike, SystemBC), and backup destruction to maximize impact and enable double-extortion.
This analytic story covers attacks exploiting CVE-2024-4577, a remote code execution (RCE) vulnerability in the PHP-CGI implementation on Windows. Attackers leverage this vulnerability to gain initial access, deploy Cobalt Strike using the "TaoWu" kit for post-exploitation activities, and establish persistence.
Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.
"...a threat actor exploited the CVE-2022-40684 vulnerability to bypass authentication on the organization’s Fortinet VPN and gain initial access. Using various Windows tools and services, including smbexec.py from the Impacket toolkit, the attacker executed commands and moved laterally across the network."
Groups observed using it
63 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor.
While they frequently use common open-source tools such as SoftEther VPN, Mimikatz, and VNT, they have recently introduced TinyRCT, a bespoke, previously undocumented backdoor.
Subsequently, the attacker used Mimikatz to dump credential information (LSASS Memory, T1003.001).
FIN7 and Carbanak abused ProcDump to dump LSASS memory ▸ PowerShell Mimikatz scripts also widely used
FIN7 and Carbanak abused ProcDump to dump LSASS memory ▸ PowerShell Mimikatz scripts also widely used
Along with the classical abuse of Microsoft SysInternal tools such as PsExec and other well-known open-source tools such as Putty and the never-missing Mimikatz, during recent operations, Makop abused even more peculiar software.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
3 techniques
Execution
the attacker has used multiple techniques from downloading and executing malicious PowerShell scripts to attempting to dump credentials and gaining access via Remote Desktop.
Persistence
2 techniques
Persistence
Privilege Escalation
4 techniques
Privilege Escalation
After executing the chain, we get a beacon back with our process injected into RuntimeBroker.exe
The DragonForce ransomware group initially infiltrated the victim system network via a remote desktop server and attempted persistent logins using valid domain accounts (Domain Accounts, T1078.002).
token::elevate privilege::debug sekurlsa::pth /user:administrator /domain:thm.loc /ntlm:2508e1ce9cfcfe1011a74c34297b05ea /run:PowerShell
This final example captures a DCSync attack through monitoring events in the Microsoft-Windows-RPC ETW Provider. The logs clearly identify the mimikatz process as the RPC client executing the GetNCChanges method—the RPC method call used in DCSync operations.
Stealth
9 techniques
Stealth
Submitting that to Virus total drops it down from 48 to 29... Obviously submitting a binary to virus total and running it against the AV are two entirely different things but I thought this was interesting enough for to share.
They routinely use SoftEther VPN, Mimikatz, and VNT for tunneling and credential theft, often disguising these tools as legitimate VMware executables or trusted system processes.
After executing the chain, we get a beacon back with our process injected into RuntimeBroker.exe
Now I’ll remove some properties with visual studio community edition... First the icon file. I’ve read some AV’s detect based on the image alone. I can remove it or put in a new image... When I look at the version information there are all kinds of detection opportunity strings in here... An attacker can modify these and put in a new file altogether.
The problem was that all the *.exes I had on Kali were things like Rubeus and Mimikatz, hence Windows Defender deleted them before AppLocker could even begin to do it’s job.
The DragonForce ransomware group initially infiltrated the victim system network via a remote desktop server and attempted persistent logins using valid domain accounts (Domain Accounts, T1078.002).
token::elevate privilege::debug sekurlsa::pth /user:administrator /domain:thm.loc /ntlm:2508e1ce9cfcfe1011a74c34297b05ea /run:PowerShell
Defense Impairment
2 techniques
Defense Impairment
This final example captures a DCSync attack through monitoring events in the Microsoft-Windows-RPC ETW Provider. The logs clearly identify the mimikatz process as the RPC client executing the GetNCChanges method—the RPC method call used in DCSync operations.
Credential Access
8 techniques
Credential Access
CL-STA-1062 employs a hybrid toolkit, combining open-source tools like SoftEther VPN, Mimikatz, and VNT...
Subsequently, the attacker used Mimikatz to dump credential information (LSASS Memory, T1003.001) and collected Active Directory configuration...
Once the upgrade is achieved, you can use the module lsadump to pull the credentials from SAM. Command to Export SAM Credentials: lsadump::sam
This next command definitely confirms that they are targeting credentials on this machine. Let’s check what MITRE says about the NTDS.dit. OS Credential Dumping: NTDS, Sub-technique T1003.003
Once you've done that, you can export LSA data by running the command: lsadump::lsa /inject This command will allow you to extract credentials and other relevant information from the LSA.
I then used my newly created thm\Mishky account to run secretsdump and DCSync the domain. /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc Mishky:Password123@192.168.11.100 ... Alternatively you can simply copy/paste mimikatz ... lsadump::dcsync /domain:thm.loc /all
Lateral Movement
3 techniques
Lateral Movement
You use this information to authenticate to other machines or network resources by creating golden tickets or performing attacks such as pass-the-hash (PtH) and over-pass-the-hash (pass-the-key).
Collection
1 technique
Collection
Command and Control
1 technique
Command and Control
IOCs tracked for this family
54 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An offensive post-exploitation tool used as part of the group's hybrid toolkit during intrusions.
Post-exploitation tool included in the actor's hybrid toolkit; the content only notes its use alongside other tools by the threat actor.
An offensive post-exploitation tool used by the threat group as part of its toolkit, commonly associated with credential theft and privilege escalation activities.
An open-source post-exploitation tool used by the attackers as part of their hybrid toolkit.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.