mimidrv.sys
Mimikatz kernel driver
mimidrv.sys is the kernel driver component of Mimikatz, an open-source credential extraction tool created by French security researcher Benjamin Delpy. Mimikatz is arguably the single most well-known offensive security tool in the Windows ecosystem. It extracts plaintext passwords, NTLM hashes, and Kerberos tickets from memory, and its kernel driver exists to bypass LSA Protection (RunAsPPL) by zeroing the Protection field in the EPROCESS structure at ring 0.
The driver loads as a WDM kernel driver and is not signed by a recognized vendor certificate. It is on the public LOLDrivers list and tracked in SigmaHQ detection rules. Its presence on a system is a strong indicator of either authorized red-team activity or compromise.
On the public record: a modified version of Mimikatz was a core component of the NotPetya attack in June 2017, which caused an estimated $10 billion in damages globally and remains the costliest cyberattack in recorded history. Criminal data-extortion groups and state-sponsored actors continue to use Mimikatz as a standard post-compromise tool.
mimidrv.sys is not a gaming-related driver and has no legitimate reason to be on a consumer PC. If found, escalate to incident response.
mimidrv.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “mimidrv.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/mimidrv-sys
