Pass the Hash with Mimikatz - focodecided/ops401-cybersecurity GitHub Wiki

Name the six credential-gathering techniques which Mimikatz is able to perform and explain how two of them work.

The six credential-gathering techniques that Mimikatz can perform are:

Pass-the-hash
Pass-the-ticket
Overpass-the-hash (pass-the-key)
Kerberoast golden tickets
Kerberoast silver tickets
Pass-the-cache

Explanation of Pass-the-hash:

Windows used to store password data in an NTLM hash. Attackers use Mimikatz to pass that exact hash string to the target computer to log in. Attackers don't even need to crack the password — they just need to use the hash string as-is. It's the equivalent of finding the master key to a building on the lobby floor. You need just that one key to get into all the doors.

Explanation of Kerberoast golden tickets:

This is a pass-the-ticket attack, but it's a specific ticket for a hidden account called KRBTGT, which is the account that encrypts all of the other tickets. A golden ticket provides you with non-expiring domain admin credentials to any computer on the network.

What are four ways we can defend against Mimikatz attacks. Explain how two of the mitigations can stop Mimikatz.

Four ways to defend against Mimikatz attacks are:

Restrict admin privileges
Disable password-caching
Turn off debug privileges
Configure additional local security authority (LSA) protection

Explanation of how disabling password-caching can stop Mimikatz:

Windows caches password hashes that were recently used through their system registry. Mimikatz can then gain access to these cached passwords, which is why it's important to change your default settings to cache zero recent passwords. This can prevent Mimikatz from obtaining the cached password hashes.

Source:

https://www.varonis.com/blog/what-is-mimikatz