Skip to main content

Mimikatz

Windows post-exploit Swiss Army knife.

Category: Post-exploitation 🎯 Trench — Windows post-exploit Swiss Army knife. Reads LSASS secrets (auth process memory): NTLM hashes, Kerberos keys, TGT tickets. 🔗 Kill chain — Prerequisite: SYSTEM or local admin. Next: Pass-the-Hash, Pass-the-Ticket, Golden Ticket. 📡 Defensive footprint — Critical detection by signature/ behavior in CrowdStrike, Defender for Endpoint, SentinelOne. Touches LSASS → Credential Theft tag. Pure execution is basically impossible in modern enterprises without AMSI bypass + LSA Protection bypass. ⚠️ False friend — Downloading mimikatz.exe and running it. Instant death. Use in-memory variants (reflective Invoke-Mimikatz) and/or evade AMSI first. 🛡️ Remediation — Credential Guard, LSA Protection (RunAsPPL), Protected Users group, EDR with behavior tagging (not just signature).
Back to the full glossary Last updated: 2026-06-11