mimikittenz: Harvesting Plaintext Passwords from Process Memory Without Admin Rights
Hook
Most credential dumping tools need admin rights and immediately trigger EDR alerts. mimikittenz runs as a regular user, reads what’s already in your browser’s memory, and extracts plaintext passwords while you sip coffee.
Context
Post-exploitation on Windows has long been dominated by tools like Mimikatz that require administrative privileges to dump credentials from LSASS or SAM databases. This creates a chicken-and-egg problem: you need elevated access to get credentials that might grant you elevated access elsewhere. Meanwhile, security products have become increasingly adept at detecting these high-privilege credential dumpers, making them noisy and risky to use.
The reality is that sensitive data doesn’t only live in protected credential stores. Every time a user logs into Gmail, submits an AWS API key, or authenticates to a corporate VPN, that data passes through application memory in plaintext. Web browsers, email clients, and enterprise applications all hold these secrets temporarily during normal operation. mimikittenz exploits this gap by operating at user-level privilege, reading process memory that’s already accessible without elevation, and applying regex patterns to extract anything valuable. It’s not exploiting a vulnerability—it’s simply reading what applications have carelessly left lying around in RAM.
Technical Insight
mimikittenz leverages the Windows ReadProcessMemory() API, a legitimate debugging function that allows one process to read the memory space of another process running under the same user context. No privilege escalation required, no kernel drivers needed, no LSASS tampering that triggers behavioral detection. The tool is implemented as a PowerShell class that wraps the native Win32 API and applies regex pattern matching against memory dumps.
The core architecture consists of two primary components: a memory inspector class that handles the ReadProcessMemory() calls, and a collection of regex patterns targeting specific services. The tool scans target processes including Internet Explorer, Chrome, and Firefox by default.
Under the hood, the tool iterates through target processes, allocates buffers, and reads chunks of process memory into PowerShell’s address space. It then applies pre-built regex patterns designed to match authentication POST data, API keys, and credential structures. The included patterns target services including Gmail, Office365, GitHub, AWS, Jira, Citrix NetScaler, Dropbox, Slack, and others listed in the README.
What makes mimikittenz particularly powerful is its extensibility. You can add custom regex patterns on the fly without modifying the core tool:
# Add a custom pattern for a proprietary application
[mimikittenz.MemProcInspector]::AddRegex("CustomCRM","api_token=[a-zA-Z0-9]{32}")
# Target a specific application process
[mimikittenz.MemProcInspector]::InspectManyProcs("iexplore","chrome","firefox","customcrm")The regex patterns are designed to match credential formats in HTTP POST parameters and authentication flows. This works because browsers and applications often hold complete HTTP request bodies in memory during submission, before any encryption happens at the TLS layer. You’re catching credentials at the moment they’re typed, not after they’ve been hashed or encrypted.
Because mimikittenz is pure PowerShell calling native Windows APIs, it can be loaded entirely in memory without touching disk. The tool doesn’t require any external dependencies, DLL injection, or registry modifications—just standard PowerShell and a user account that owns the target processes.
The trade-off for this user-level approach is coverage. You can only read memory from processes running under your user context or processes that haven’t implemented proper memory protection. Modern browsers with sandboxing and protected processes may limit what you can extract. The README notes that once a process is killed, its memory should be cleaned up and become inaccessible, though there are edge cases where this doesn’t happen.
Gotcha
mimikittenz’s effectiveness is entirely dependent on whether applications store credentials in plaintext in memory and whether those processes are actively running when you execute the scan. Modern security-conscious applications increasingly use secure string handling that zeros memory immediately after use, or leverage credential managers that never expose plaintext passwords in application memory.
The tool reads from running process memory, and as the README notes, once a process is killed its memory should be cleaned up and become inaccessible (though edge cases exist). This means you need to scan while target processes are active and potentially while authentication events are occurring or shortly after. Application memory can be ephemeral, with credentials potentially garbage-collected after use.
Additionally, the regex patterns require maintenance—as web services change their authentication endpoints and parameter names, patterns may need updates to remain effective. The tool’s success depends on matching current authentication flows and data structures in memory.
Verdict
Use mimikittenz if you’ve landed initial access on a Windows target without admin rights and need to harvest credentials for lateral movement. It’s particularly valuable in environments with restrictive UAC policies, heavy EDR monitoring that flags admin-required credential dumping tools, or when targeting users who frequently authenticate to cloud services through browsers. The ability to run entirely in memory and extend regex patterns makes it perfect for customizing to your specific target environment. The tool’s user-level operation avoids many common detection mechanisms while still providing access to plaintext credentials from application memory. Consider that effectiveness depends on timing, target application memory handling practices, and whether your regex patterns match current authentication flows. The extensibility through custom regex makes it adaptable to organization-specific applications beyond the built-in targets.
