Mimikatz, Software S0002 | MITRE ATT&CK® (original) (raw)
Enterprise
Access Token Manipulation: SID-History Injection
Mimikatz's MISC::AddSid module can append any SID or user/group account to a user's SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.[2][3]
Enterprise
The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value.[2][4]
Enterprise
Boot or Logon Autostart Execution: Security Support Provider
The Mimikatz credential dumper contains an implementation of an SSP.[1]
Enterprise
Credentials from Password Stores
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.[1][5][6][7][8]
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.[1][5][6][7]
Mimikatz contains functionality to acquire credentials from the Windows Credential Manager.[9]
Enterprise
OS Credential Dumping: LSASS Memory
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory.[1][5][6][7]
OS Credential Dumping: Security Account Manager
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the SAM table.[1][5][6][7]
OS Credential Dumping: LSA Secrets
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSA.[1][5][6][7]
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DCSync/NetSync.[1][5][6][7][8]
Enterprise
Mimikatz’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.[1][2]
Enterprise
Steal or Forge Authentication Certificates
Mimikatz's CRYPTO module can create and export various types of authentication certificates.[2]
Enterprise
Steal or Forge Kerberos Tickets: Golden Ticket
Mimikatz's kerberos module can create golden tickets.[10][8]
Steal or Forge Kerberos Tickets: Silver Ticket
Mimikatz's kerberos module can create silver tickets.[10]
Enterprise
Unsecured Credentials: Private Keys
Mimikatz's CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.[2]
Enterprise
Use Alternate Authentication Material: Pass the Hash
Mimikatz's SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands.[2][7][8]
Use Alternate Authentication Material: Pass the Ticket
Mimikatz’s LSADUMP::DCSync and KERBEROS::PTT modules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets.[2][3][11][7]