Chapter 1: Introduction to Mimikatz

Overview

Welcome to "Mastering Mimikatz, Kekeo and More." If you're reading this, you’re likely looking to get a serious handle on Windows security internals. I’ve always found that there's no better way to understand how a system works than by looking at how its core security mechanisms can be manipulated. This book is designed to take you on a deep journey through the landscape of Windows authentication, credential storage, and the various defenses that—when misconfigured—leave sensitive information exposed.

Author: Carlos Perez (DarkOperator)

I wrote this material for us—the practitioners. Whether you're a security professional, a penetration tester on a red team, or a defensive analyst trying to understand what the logs are actually telling you, you need to understand these mechanisms at a fundamental level. By walking through the techniques demonstrated by Mimikatz and its relatives, we aren't just learning to run a tool; we're learning the tradecraft required to protect our environments and effectively assess security postures.

What is Mimikatz?

The Genesis of a Legendary Tool

At its core, Mimikatz is a Proof of Concept (POC) tool. Benjamin Delpy created it to demonstrate inherent design flaws and security weaknesses within the Microsoft Windows operating system. What I find most inspiring is that it started as a personal learning project. Over the years, it has evolved into one of the most significant research tools in the entire Windows ecosystem, effectively forcing Microsoft to fundamentally rethink how credentials are handled in modern versions of the OS.

The tool is the work of Benjamin Delpy, known to most of us as @gentilkiwi. The history here is worth noting:

• Created as a learning exercise: Benjamin didn't set out to build a "hacking tool"; he wrote Mimikatz to teach himself the C programming language. It’s a perfect example of how curiosity-driven development can lead to groundbreaking security research.
• Spare-time development: Unlike many tools funded by big corporations or governments, Mimikatz was built entirely in Benjamin's spare time. It was driven purely by intellectual curiosity and a desire to understand Windows internals.
• Open source transparency: By making Mimikatz open source on GitHub, Delpy allowed the entire community to learn, audit, and improve upon his techniques. This transparency has been absolutely crucial for both offensive and defensive research.

The Mimikatz Family of Tools

Over time, the project has expanded. It’s no longer just one executable; it’s a family of related projects:

1. Mimikatz (the core tool): This is the primary executable we use for credential extraction, pass-the-hash, pass-the-ticket, and a massive array of other security operations.
2. Kekeo: I like to think of Kekeo as the specialist. It focuses specifically on Kerberos operations and Public Key Infrastructure (PKI) abuse. While Mimikatz handles Kerberos, Kekeo provides more advanced functionality, particularly around certificate-based authentication and PKINIT (Public Key Cryptography for Initial Authentication).
3. Mimilib: This is the DLL version of Mimikatz’s functionality. You can inject it into other processes or use it as a Security Support Provider (SSP), which allows for persistent—and often stealthier—credential harvesting.

Why Mimikatz Matters

I’m often asked why we still talk about Mimikatz given how old it is. The reason is simple: it’s foundational.

For Offensive Security:

• It demonstrates the exact credential theft techniques used by advanced persistent threats (APTs) in the real world.
• It provides essential capabilities for post-exploitation and lateral movement during authorized testing.
• It enables red teams to emulate realistic adversary behavior so we can actually test our defenses.
• It helps us identify and demonstrate the true impact of credential exposure to stakeholders.

For Defensive Security:

• It reveals exactly what an attacker can do once they gain that first foothold in a Windows environment.
• It highlights why mechanisms like Credential Guard aren't just "nice to have"—they are critical.
• It demonstrates why administrative credential hygiene is the backbone of a secure network.
• Most importantly, it shows us what indicators of compromise (IOCs) we need to be hunting for in our logs.

For Security Research:

• It provides a window into Windows authentication architecture and the design decisions behind it.
• It shows us how Windows actually stores and protects sensitive material.
• It reveals the complex relationships between subsystems like LSASS, LSA, SAM, and Kerberos.
• It gives us a way to validate whether our security controls are actually working as intended.

The Impact on Windows Security

Mimikatz has changed the way Windows is built. Microsoft has responded to the research Benjamin has shared with significant security enhancements that we all benefit from today:

• Credential Guard: This uses virtualization-based security to isolate credentials from the rest of the OS.
• Protected Process Light (PPL) for LSASS: This makes it significantly harder for unauthorized code to reach into LSASS memory.
• Windows Defender Application Control (WDAC): This helps stop unauthorized tools from running in the first place.
• Enhanced logging: We now have much better audit capabilities to detect these types of credential theft attempts.

Getting Mimikatz

Official Sources

If there is one thing I want to stress, it’s this: Always get your tools from official sources. Using a random binary you found on a forum is a great way to get yourself backdoored.

GitHub Repository: https://github.com/gentilkiwi/mimikatz

Once you're there, you have two main routes:

1. Source Code Compilation

The full source code is available as a Visual Studio solution. Personally, I prefer building from source whenever possible.

Requirements:

• Visual Studio (Community Edition is fine).
• Windows SDK.
• A basic understanding of the C/C++ build process.

Why bother?

• You can verify the code yourself—trust but verify.
• You can customize the functionality for specific testing scenarios.
• You learn much more about the implementation details by looking at the source.
• You can ensure you have the very latest features and bug fixes.

2. Pre-Compiled Binaries

If you don't need to modify the code, pre-compiled binaries are usually available in the GitHub releases section:

GitHub Releases: https://github.com/gentilkiwi/mimikatz/releases

The releases generally include:

• x64 (64-bit): This is what you'll use for 99% of modern Windows systems.
• Win32 (32-bit): For legacy systems or very specific compatibility needs.

Crucial Step: Always verify the digital signature and the hash of the binaries you download. Benjamin Delpy digitally signs the official releases.

Mimikatz in Other Tools

Because it’s so powerful, Mimikatz functionality has been integrated into almost every major penetration testing framework. It’s important to understand these integrations because they change how the tool behaves and how it’s detected.

1. Metasploit Framework - Kiwi Extension

The kiwi extension is the successor to the older Mimikatz extension in Meterpreter. It allows you to run Mimikatz-like functionality directly from a session.

Example:

meterpreter> load kiwi
meterpreter> creds_all

What I like about it: It integrates seamlessly into my Metasploit workflow and works entirely in-memory, which means a smaller disk footprint. The catch: Meterpreter is very well-known to modern EDRs. The kiwi module loads specific DLLs that are easily signature-detected, and memory scanning often picks up the Meterpreter process itself.

2. Cobalt Strike Beacon

Cobalt Strike is a heavy hitter in the commercial adversary simulation world, and it has built-in Mimikatz capabilities through commands like hashdump, logonpasswords, and dcsync.

How it's different: Cobalt Strike is designed with operational security (OPSEC) in mind. It gives you options for in-memory execution, process injection, or spawning sacrificial processes. Its malleable C2 profiles also help evade behavioral detection. Defensive view: Because Cobalt Strike is used by both red teams and actual threat actors, its default configurations are heavily signatured. Defenders should focus on the behaviors (like LSASS access) rather than the tool name.

3. Invoke-Mimikatz PowerShell Script

This was originally part of the PowerSploit framework. It’s a PowerShell wrapper that loads Mimikatz into memory without touching the disk.

Usage:

Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords"

The advantages: It’s pure PowerShell, so you don't need to upload an EXE. You can load it via a download cradle and it integrates nicely into automated attack chains. The modern reality: Modern Windows defenses have caught up. Between PowerShell ScriptBlock logging, transcription, and AMSI (Anti-Malware Scan Interface), this is much harder to pull off than it used to be. Constrained Language Mode can also block the reflective assembly loading that this script relies on.

The Dual-Use Nature of Security Tools

We have to remember that Mimikatz is a "dual-use" tool. It can be used for good or for ill. The tool itself is neutral; the ethics and the legality depend entirely on who is typing the commands. Use your power responsibly.

Course Objectives

By the time you finish this book, I want you to have:

Technical Understanding:

• A deep knowledge of Windows authentication architecture.
• A clear understanding of how credentials are stored and protected.
• Internal knowledge of the Kerberos protocol.
• Proficiency in PKI and certificate-based authentication abuse.
• A firm grip on LSASS internals and Windows security subsystems.

Practical Skills:

• The ability to use Mimikatz modules for authorized testing without breaking things.
• Knowledge of credential extraction techniques and—importantly—their limitations.
• The skills to perform various Kerberos attacks.
• The capability to assess the real-world credential security posture of a Windows environment.

Defensive Knowledge:

• A clear understanding of how these attacks work so you can detect them.
• Familiarity with detection techniques and indicators of compromise.
• Practical knowledge of Windows credential protection mechanisms.
• The ability to recommend and implement effective security controls to harden your environment.

How to Use This Book

I’ve structured this book to take you from the ground up:

• Part I: Foundations (Chapters 1-4): Start here. We’ll build your fundamental understanding and learn how to actually operate the tool.
• Part II-III: System Operations (Chapters 5-11): We’ll learn to manipulate privileges and tokens, and look at system-level modules for RPC control, services, and process operations.
• Part IV: Credential Access (Chapters 12-23): This is the heart of Mimikatz. We’ll cover LSASS operations in depth, including extraction, pass-the-hash, and understanding SAM and LSA Secrets.
• Part V: Kerberos (Chapters 24-32): A deep dive into Kerberos—tickets, roasting, and forging trust.
• Part VI: PKI (Chapters 33-38): We’ll explore certificate abuse and PKINIT.
• Part VII-VIII: Advanced Techniques (Chapters 39-42): We’ll wrap up with heavy hitters like DCSync, DCShadow, and DPAPI.

What's Next

In the chapters following this introduction, we’re going to explore the basics: how to run the tool, how its modules are structured, and how to perform your first operations. From there, we’ll progressively build your knowledge through each Windows security subsystem.

Remember, our goal isn’t just to learn a tool. We’re using Mimikatz as our vehicle to explore the underlying architecture of Windows security. This knowledge is invaluable whether you're testing, defending, or just trying to understand the systems you work with every day.

Let's get started. Our journey into the internals of Windows security begins here, built on the incredible research of Benjamin Delpy.

---

Next Chapter: Chapter 2: Mimikatz Basics - Learn how to operate Mimikatz, understand its architecture, and perform basic operations.