THE MIMIKATZ STORY
Note: I was recently tasked with writing a story about Benjamin Delpy and his Mimikatz program, but they didn’t want to use what I wrote, so I’m posting it here instead.
**
The internet wasn't working.
Benjamin Delpy, a French computer programmer, had just checked into a room at the Presidential Hotel in Moscow ahead of a talk he was set to give at a Russian computer security conference, only to discover the hotel didn't offer Wi-Fi, and he couldn't connect to the room's ethernet port either.
If he couldn’t get on the web to access his presentation and the computer code he would be discussing, his whole trip to Eastern Europe might be in jeopardy. Annoyed and, above all, concerned, he decided to broach the issue directly with the hotel's staff.
On the elevator ride down to the front desk, Delpy thought about the program he created that had brought him there. It was called Mimikatz, French slang for “cute cats”, which Delpy developed as a side project to learn more about the C programming language and Windows security.
Concerned that Microsoft had included in the Windows operating system a security flaw that could allow outside access to user's passwords and other network features, Delpy designed a way to gain repeated access to a target's computer and other users on a particular network as a way to test this suspected weakness.
The program had taken off immediately. Only months after releasing the closed-source program, he saw Chinese hackers attempting to reverse-engineer Mimikatz, and the program was subsequently used to spy on 300,000 Iranian Gmail users. Delpy shook his head, thinking about how his code had taken on a life of its own.
He got off the elevator, approached the front desk, and complained to the hotel's staff, who offered to send a technician up to try to fix the issue. Delpy refused, preferring to try to solve the issue himself.
He rode the elevator back up to his room, and when he arrived, he swiped his card, entered, and discovered a man he didn't recognize in a dark suit, sitting at his desk, trying to use his laptop.
He stopped in his tracks at the edge of the floor, heart suddenly pounding. Delpy looked at his laptop, the source code for Mimikatz and the text and slides of his presentation inside. Still frozen and unable to react, Delpy then watched as the man rose, muttered an apology in English, rushed past him, and left the room, slamming the door behind him.
Who was the mysterious man? What did he want? Why was he in Delpy’s room? The possibilities ran through his head, over and over, unsettling him and causing his to toss and turn all night.
"It was all very strange for me," Delpy said later. "Like being in a spy film."
And it wouldn't be the last time that someone tried to get their hands on Delpy's powerful program.
**
In the late 2000 and early 2010s, Benjamin Delpy was working at his day job as an IT manager for a French governmental organization when he got more interested in programming and computer security. Speaking at the BlueHat Illinois conference in 2019, he recounts how it all started: “At the origin of Mimikatz, it was not to dump passwords, it was for me to learn C.”
Working in IT, Delpy didn't actually know much about computer programming at the time. He wanted to change that, so he took it upon himself to learn “code”, the slang term for programming. He started with the popular C language, a powerful, general, all-purpose language created back in the punch-card era of the 1970s, but that is still in use today.
In the course of his self-guided studies, he dug deep into Microsoft's Windows operating system and noticed a problem: he could “obtain account login and password information...from an operating system or software. Credentials [could] then be used to perform lateral movement and access restricted information.”
Worried he was too inexperienced and too much of a novice to discover something of this magnitude, he checked and rechecked his code over and over to make absolutely sure he was seeing what he thought he was seeing. But again and again, he kept coming up with the same conclusion: Microsoft had a gaping security hole, and no one on their massive, international, multi-billion dollar team had been able to discover it before he had. He could do little more than shake his head at the oversight, and smile at the possibilities.
Thinking back on it, Delpy said in hindsight: “In 2011, I discovered...for the first time publicly: passwords, clear text passwords. It was a wonderful time for me.”
Delpy was excited that, in a short amount of time, he was able to find a flaw in such a powerful and influential company. He decided the best and most ethical thing to do would be to contact the company directly to let them know about the issue, which he was sure they would fix quickly. He posted on their support page and wasn't sure what to expect, but did not anticipate what he heard in response.
Microsoft brushed him off.
They replied that what he discovered wasn't a “real flaw”, and urged users to simply update their operating systems.
Such a reaction irritated Delpy, who felt he wasn't being taken seriously. In response, he spent day after day feverishly putting his research into code, thus creating Mimikatz “as a proof of concept to show Microsoft that their authentication protocols were vulnerable to attack”. This would allow users of the program easy access to those same flaws he discovered, for better or worse.
But what now? Crestfallen and upset at being blown off by Microsoft, Delpy had a decision to make: should he get comeuppance and release Mimikatz to the world? What would happen when such a powerful and easy-to-use program was out freely on the web? Who would use it, and to what ends? Delpy found himself at a crossroads.
**
It was a point of no return: in an act of defiance and resistance, Delpy decided to release Mimikatz as a “closed-source” program, meaning its code would be protected so no one could see exactly how it was written and how it worked.
But he was surprised to see the speed at which hackers from all around the globe began to attempt to break into his program, trying to figure out how it worked, like the Chinese hackers who discussed Mimikatz in online forums, attempting to reverse-engineer it.
Then, all hell broke loose: Delpy “learned for the first time—he declines to say from whom—that Mimikatz had been used in an intrusion of a foreign government network.”
"The first time I felt very, very bad about it," he remembers. “Originally conceived as a research project by Delpy to better understand Windows security,” Mimikatz had now grown well beyond his control.
And it got worse: Delpy watched helplessly as his program became one of the world's most powerful and ubiquitous ways for people to steal passwords. Russians hacked the German parliament with it. Thousands of Iranians were spied on due to a Mimikatz attack on DigiNotar by unidentified hackers. The Carbanak group committed multiple multimillion-dollar bank robberies, and NotPetya was able to corrupt and freeze systems as FedEx, Merck, and more.
All told, the monetary damages caused by ill-intentioned users of Mimikatz had grown into the billions.
But rather than shy away from the attention he received from creating a problem that had spiraled out of his sway, Delpy decided to embrace it and “has continued to hone his creation, speaking about it publicly and even adding more features over the years.”
By the beginning of 2012, as a result of the spread of this compelling new program, Delpy became notorious in computer security circles and was again invited to Russia to speak at yet another conference. At the conclusion of his talk at Positive Hack Days, a Russian man in a dark suit approached him as he left the stage.
It was not the same man as had been in his hotel room, but again, Delpy stopped in his tracks. Again, his heart was pounding in his chest. But unlike the previous encounter, the man in front of him in the dark suit did not budge, did not apologize, and instead wanted Delpy to put a copy of his conference speech, slides, and code onto a USB drive.
And he wanted it now.
What was Delpy to do?
**
This time, he complied.
Delpy felt he had no choice. He feared for his personal safety while in Russia and figured “if hackers were going to use his tool, defenders should understand it too.”
In an act of defiance and revenge, not against Microsoft like before, but against those who would use his program for wrongdoing, theft, or as part of cyber warfare, he decided to release the code on the internet again.
However, this time, it would be “open source”, so anyone could have access to Mimikatz's internal workings and see the code for themselves.
The program, to no one's surprise, spread like mad.
And just like his software, Delpy traveled, too. He continued crossing the globe, jet-setting to more conferences to talk about Mimikatz and his newfound passion for computer security.
In an interview with Paula Januszkiewicz at Black Hat USA 2019 in Las Vegas, he stated his motivation to continue to improve the program and stand behind it even as others used it for nefarious purposes: “The motivation is about when I discovered that Microsoft doesn't care...At the time, it was not a problem (for them). For customers, I can say it was a problem. So I make it evolve, I make it compatible with all Windows versions.”
As a result, Mimikatz became even more ubiquitous in computer security circles and with hacker groups, including some who combined the program with leaked National Security Administration tools to create self-replicating, self-propagating, self-contained ransomware that doesn't require human involvement to spread to more and more vulnerable systems.
And Mimikatz even hit Hollywood in an episode of the hacker thriller show Mr. Robot on USA Network. In a season two episode, supporting character Angela Moss uses Mimikatz to obtain her boss' clear text password and thus gain access to his computer and download sensitive documents on his system.
She uses a Rubber Ducky, a keyboard emulator designed to fit on a USB thumb drive, to extract her desired data. Once back at her own workstation, she discovers her boss' password that Mimikatz was able to access from his computer's memory without the need to rifle through a dictionary or use any other sort of brute force attack.
This is the key to the ease of use that Mimikatz allows in accessing systems that would otherwise be protected, and it was now being shown visually, compellingly, and in front of millions of otherwise ignorant audiences, who may not otherwise have known about this otherwise esoteric piece of computer software.
Thus, Mimikatz was now mainstream.
Delpy had “inadvertently created one of the most widely used and downloaded hacker tools of the past 20 years” and had now even hit the big time with a cameo on a hit TV show. What was next?
**
For Delpy, an otherwise mild-mannered computer enthusiast who just wanted to learn to program in C, Mimikatz had taken on a life of its own, and that life was one that he hasn't always been proud of. "Mimikatz wasn’t at all designed for attackers. But it's helped them," Delpy says now. "When you create something like this for good, you know it can be used by the bad side too."
On the other hand, says UC Berkeley security researcher Nicholas Weaver, “I think we must be honest: if it wasn't Mimikatz, there would be some other tool.”
And finally, Microsoft took notice. At Delpy’s continued urging, the company eventually acknowledged and patched the security issues that Delpy made plain with his program. And even with the amount of public speaking he had done, Delpy was invited to give talks at two of Microsoft's security conferences, and was also invited to join one of its review boards for new research submissions.
It might seem strange to invite someone who exploited their system's vulnerabilities into the fold, but as Delpy explained at a 2014 conference at the Norweigan University of Science and Technology, “I'm not paid by Microsoft. I have some problems with them sometimes, but sometimes they make good stuff. In the new version of Windows (Windows 8.1), they introduced the restricted admin mode for remote desktop connection. It's cool!”
The title of his talk that day, to a group of European computer enthusiasts, was “how to push microsoft to change some little stuff”. It's fair to say Delpy is bemused and frustrated by Microsoft in equal measure, but still, he achieved his original goal: the company specifically introduced new features to make Mimikatz less effective, and thus, computers and networks more secure.
Through the course of this whole years-long ordeal, Delpy found that the best way for computer users and anyone else interested in internet security is to simply do it yourself, just like he did.
He says finally, “You look at my works and you create your own tools to make adaptations to understand how it works, so I'm very happy because at the beginning and even now Mimikatz is sitting as a...tool to say, 'Hey, I made that!' But, come on, make your own one. Because without creating we will not understand.”
References:
https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/
https://cqureacademy.com/blog/the-story-behind-mimikatz
https://www.varonis.com/blog/what-is-mimikatz
https://thethreatreport.com/mimikatz-a-deeper-look-at-blackhat-and-whitehat-hackers-shared-tool/
https://heimdalsecurity.com/blog/mimikatz/
https://doubleoctopus.com/security-wiki/threats-and-tools/mimikatz/
https://mediasite.ntnu.no/Mediasite/Play/1b79a4e57d7142a5b29e3443b90acf581d