Mimikatz
Windows post-exploit Swiss Army knife.
Category: Post-exploitation 🎯 Trench — Windows post-exploit Swiss Army knife. Reads LSASS secrets (auth process memory): NTLM hashes, Kerberos keys, TGT tickets. 🔗 Kill chain — Prerequisite: SYSTEM or local admin. Next: Pass-the-Hash, Pass-the-Ticket, Golden Ticket. 📡 Defensive footprint — Critical detection by signature/ behavior in CrowdStrike, Defender for Endpoint, SentinelOne. Touches LSASS →Credential Theft tag. Pure execution is
basically impossible in modern enterprises without AMSI bypass +
LSA Protection bypass.
⚠️ False friend — Downloading mimikatz.exe and running it.
Instant death. Use in-memory variants (reflective
Invoke-Mimikatz) and/or evade AMSI first.
🛡️ Remediation — Credential Guard, LSA Protection (RunAsPPL),
Protected Users group, EDR with behavior tagging (not just
signature).
← Back to the full glossary Last updated: 2026-06-11