During the 2016 Ukraine Electric Power Attack, Sandworm Team used Mimikatz to capture and use legitimate credentials.[6]
Agrius used tools such as Mimikatz to dump LSASS memory to capture credentials in victim environments.[7]
APT1 has been known to use credential dumping using Mimikatz.[8]
APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.[9][10] They have also dumped the LSASS process memory using the MiniDump function.[11]
APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."[12]
APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.[13][14]
APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.[15][16]
APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.[17]
APT41 has used hashdump, Mimikatz, Procdump, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.[18][19][20]
APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.[21]
Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.[22]
Bad Rabbit has used Mimikatz to harvest credentials from the victim's machine.[23]
Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.[24]
BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.[25]
During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials.[26]
Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.[27]
Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes.[28]
CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.[29]
During Cutting Edge, threat actors used Task Manager to dump LSASS memory from Windows devices to disk.[30]
Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.[31]
Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.[32]
Ember Bear uses legitimate Sysinternals tools such as procdump to dump LSASS memory.[33][34]
Emotet has been observed dropping and executing password grabber modules including Mimikatz.[35][36]
Empire contains an implementation of Mimikatz to gather credentials from memory.[37]
FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory with Mimikatz.[38][39]
FIN6 has used Windows Credential Editor for credential dumping.[40][41]
FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[42]
Fox Kitten has used prodump to dump credentials from LSASS.[43]
GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[44][45]
GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine.[46]
HAFNIUM has used procdump to dump the LSASS process memory.[47][1][48]
During HomeLand Justice, threat actors dumped LSASS memory on compromised hosts.[49]
SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.[50]
Indrik Spider used Cobalt Strike to carry out credential dumping using ProcDump.[51]
Ke3chang has dumped credentials, including by using Mimikatz.[52][53][54]
Kimsuky has gathered credentials using Mimikatz and ProcDump.[55][56][57]
LaZagne can perform credential dumping from memory to obtain account and password information.[58]
Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.[59]
Leviathan has used publicly available tools to dump password hashes, including ProcDump and WCE.[60]
Lslsass can dump active logon session password hashes from the lsass process.[8]
Magic Hound has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using Mimikatz.[64][65][66][67]
Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory.[68][69][70][71]
Moonstone Sleet retrieved credentials from LSASS memory.[72]
MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.[73][74][75]
Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[27]
NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[76][77][71]
OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[78][79][64][80]
Okrum was seen using MimikatzLite to perform credential dumping.[81]
Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.[82]
During Operation Wocao, threat actors used ProcDump to dump credentials from memory.[83]
PLATINUM has used keyloggers that are also capable of dumping credentials.[84]
Play has used Mimikatz and the Windows Task Manager to dump LSASS process memory.[85]
PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.[86]
PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[87]
PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.[88][89]
Pupy can execute Lazagne as well as Mimikatz using PowerShell.[90]
RedCurl used LaZagne to obtain passwords from memory.[92][93]
Sandworm Team has used its plainpwd tool, a modified version of Mimikatz, and comsvcs.dll to dump Windows credentials from system memory.[94][95][96]
Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.[97]
SILENTTRINITY can create a memory dump of LSASS via the MiniDumpWriteDump Win32 API call.[98]
Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[99][100]
In the Triton Safety Instrumented System Attack, TEMP.Veles used Mimikatz.[101]
Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.[102][103]
Windows Credential Editor can dump credentials.[105]
Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.[106]