Ever get an alert that someone accessed your email? Feel uneasy using your crypto wallet?
Hackers often use tools like Mimikatz to steal passwords and break into financial accounts—without you even knowing. This article breaks down how they do it, and how you can protect yourself.
What Is Mimikatz?
Mimikatz is an open-source software for exploitation used to extract passwords and credentials from Microsoft Windows, which are stored in memory. This software was developed by a French programmer, Benjamin Delpy. The name comes from French slang, meaning cute cats.
Who Is Benjamin Delpy?
Benjamin Delpy is a French programmer who created the software Mimikatz and is well known for discovering a flaw in Microsoft’s system that stores both an encrypted copy of a password and the key to decipher it in memory at the same time. He contacted Microsoft in 2011 to point out the flaw, but Microsoft responded that it would require a compromised machine to exploit.
Delpy realized that the flaw could be used to gain access to non-compromised machines on the same network from an already compromised one. He released the first version of his software in May 2011 as closed-source software. Later that year, in September 2011, this exploitation software was used in the DigiNotar hack to steal credential information.
Why Mimikatz Is Still Relevant in 2025
Mimikatz is still used in 2025 because it works on many Windows systems that haven’t been fully secured. Even though Microsoft has added new protections, many organizations still store passwords in memory in ways that Mimikatz can access.
Hackers use it to move through networks and get higher-level access. Security testers also use it to check how well systems are protected. Its ability to extract real login data makes it valuable for both attackers and defenders.
Features of Mimikatz
Mimikatz has several powerful features that make it one of the most widely used tools in both ethical hacking and real cyberattacks.
Here’s what it can do:
Gets Plain Text Passwords from Memory
It can find and extract real, readable passwords that are stored in a computer’s memory (RAM) after a user logs in.
This makes it easy for attackers to steal login credentials without needing to guess them.
Reads NTLM Hashes and Kerberos Tickets
Instead of just passwords, Mimikatz can also grab NTLM password hashes and Kerberos tickets. These are special forms of login data used by Windows systems. Hackers can use them to pretend to be a user and log in without knowing the actual password.
Can Run Pass-the-Hash and Pass-the-Ticket Attacks
Mimikatz supports two well-known attack methods:
- Pass-the-Hash (PtH) lets an attacker use a password hash to access other systems.
- Pass-the-Ticket (PtT) uses a stolen Kerberos ticket to gain access without needing the original login.
Both attacks help hackers move from one computer to another inside a network.
Performs Overpass-the-Hash
This feature allows Mimikatz to take a user’s hash and create a Kerberos ticket to log into services. It’s another way for attackers to get into secure systems by faking trusted login data.
Runs DCSync to Pull Credentials from Active Directory
DCSync is a powerful feature that makes Mimikatz act like a domain controller. This lets it request and steal usernames, password hashes, and other data directly from Active Directory, which manages all user logins in a Windows network.
Works with Tools Like Metasploit and Cobalt Strike
Mimikatz can be combined with other hacking and penetration testing tools like Metasploit and Cobalt Strike. This makes it even more flexible during attacks or red team simulations, allowing attackers to automate and scale credential theft.
How Mimikatz Works
Mimikatz looks at a part of Windows called LSASS, which holds login information in memory. When a user logs into a Windows computer, the system saves their password or token in memory so it can reuse it. Mimikatz reads this memory and pulls out the passwords or other data. That’s how it helps attackers get into other computers on the same network.
Credential Dumping Explained
Credential dumping means taking saved login details from a computer’s memory. Windows often keeps user data in RAM to make logins faster.
Mimikatz can find and copy this data. Hackers use it to log in as other users or move through a company’s systems. It’s one of the first things attackers do after getting access to a computer.
Interesting about Mimikatz
Mimikatz was even shown in the TV series Mr. Robot. In Season 2, Episode 9, the character Angela Moss uses Mimikatz from a USB stick to steal her boss’s Windows domain password. This scene is based on real hacking techniques and shows how tools like Mimikatz are used in real-world cyber attacks.
Exploiting Windows Security Flaws
Mimikatz works by taking advantage of how Windows stores credentials in memory. Normally, passwords and login data should be protected, but Windows often keeps them in RAM during a session.
Mimikatz uses this weakness to pull out plaintext passwords, hashes, and Kerberos tickets. These are the same flaws that Benjamin Delpy discovered when he first created the tool.
Even though Microsoft has added some security improvements, these core memory handling flaws still exist in many systems today, making them a target for attackers.
Mimikatz in Financial and Crypto Attacks
How Hackers Target Crypto Wallets
Hackers use Mimikatz to extract login credentials that give them access to crypto wallets, especially when those wallets are accessed through web browsers, desktop apps, or exchanges.
If a machine is compromised and the wallet is logged in, Mimikatz can pull saved passwords or session tokens directly from memory. This allows attackers to steal funds or transfer assets without needing to break encryption.
Attacks on Banking Credentials and Online Accounts
In financial cyberattacks, Mimikatz helps hackers steal login details for online banking portals, payment platforms, or corporate finance tools.
Once inside a machine, the attacker can extract passwords stored in memory and use them to log in from other locations. Because Mimikatz can retrieve credentials without the user knowing, it’s often used in silent, targeted attacks that bypass two-factor authentication if sessions are already active.
Real-World Breaches Involving Mimikatz
Mimikatz has been linked to many real cyberattacks, including ransomware campaigns, APT (Advanced Persistent Threat) operations, and nation-state espionage. One early example was its use in the DigiNotar hack in 2011.
Later, Mimikatz was found in WannaCry, NotPetya, and TrickBot campaigns. These attacks targeted both public and private sectors and often involved financial damage or data theft.
How to Detect Mimikatz on Your Systems
Detecting Mimikatz can be tricky because it often runs in-memory and leaves few traces. However, you can look for signs such as:
- Unusual access to LSASS.exe
- Sudden creation of Kerberos tickets
- Suspicious PowerShell commands or DLL injections
Using Windows Event Logs, Sysmon, and SIEM tools can help spot these signs early.
EDR and AI Tools That Defend Against Credential Theft
Modern EDR (Endpoint Detection and Response) tools and AI-powered threat detection systems can stop Mimikatz by analyzing behavior patterns.
These tools don’t just rely on file signatures—they watch how processes behave. If a tool tries to read memory or access LSASS, it triggers alerts or gets blocked. Many EDR solutions now have built-in rules specifically for detecting Mimikatz techniques.
Best Practices for Securing Crypto and Bank Accounts
To protect your credentials from Mimikatz attacks:
- Use strong passwords and avoid reusing them
- Enable multi-factor authentication (MFA)
- Keep your system updated with the latest Windows patches
- Disable WDigest, which allows passwords to be stored in plaintext
- Limit admin privileges, and avoid logging into critical systems with high-privilege accounts unless necessary
For crypto users, consider using hardware wallets and avoid keeping your credentials saved in browsers or memory where they can be extracted.
Conclusion
Mimikatz is a widely used cybersecurity tool known for extracting credentials from memory, making it a major threat in both offensive and defensive operations. In financial and crypto spaces, where stolen credentials can cause serious losses, understanding and defending against Mimikatz is critical. Effective protection requires more than antivirus—proactive measures like system hardening and strong credential management are essential.
FAQs About Mimikatz
What Is Mimikatz?
Mimikatz is a post-exploitation tool used to extract credentials from Microsoft Windows systems. It pulls passwords, hashes, and Kerberos tickets directly from memory, making it useful for attackers after they gain initial access to a device.
Who Created Mimikatz and Why?
Mimikatz was developed by Benjamin Delpy, a French programmer, in 2011. He created it to demonstrate a security flaw in Windows where both encrypted passwords and their decryption keys were stored together in memory. His goal was to raise awareness—not to support malicious activity.
What Can Mimikatz Do?
Mimikatz can:
- Extract plain text passwords and password hashes
- Steal Kerberos tickets and perform ticket-based attacks
- Simulate a domain controller to dump credentials from Active Directory (DCSync)
- Support lateral movement and privilege escalation inside networks
These functions make it highly effective for testing system defenses—but also dangerous when used by attackers.
Is Mimikatz Still a Threat?
Yes. Despite Microsoft’s efforts to reduce its effectiveness, Mimikatz is still a serious threat. It remains compatible with many systems and is often used in modern cyberattacks, especially during the lateral movement phase. Many attackers also use modified versions that are harder to detect.
How Do You Defend Against Mimikatz?
To defend against Mimikatz:
- Disable WDigest and unnecessary legacy protocols
- Use Endpoint Detection and Response (EDR) tools that detect behavior, not just file signatures
- Limit administrative access and apply least privilege policies
- Enable Credential Guard on Windows systems
- Monitor system activity using Sysmon, SIEM, and event logs
- Keep all systems patched and up to date
For individuals, avoid saving credentials in browsers and use multi-factor authentication for banking and crypto platforms.
Crypto analyst & strategist. 10+ yrs in blockchain. Ex-top 5 exchange lead. DeFi & Web3 specialist. Cited in CoinDesk, Bloomberg. ETH Zurich grad.
