401 Reading 42 - marsecguy/reading-notes-cyberops GitHub Wiki

Mimikatz

1. Name the six credential-gathering techniques which Mimikatz is able to perform and explain how two of them work.

   • Pass-the-hash
   • Pass-the-ticket
   • Overpass-the-hash (pass-the-key)
   • Kerberoast golden tickets
   • Kerberoast silver tickets
   • Pass-the-cache

   Pass-the-hash copies the hash for a password and passes it along to the target machine, using it to gain access without needing the password itself. Pass-the-cache is basically the same as pass-the-hash, but it pulls the string from cache and works on Mac, UNIX and Linux.

2. What are four ways we can defend against Mimikatz attacks. Explain how two of the mitigations can stop Mimikatz.

   • Change admin privileges
   • Change caching policy
   • Turn off debugging privileges
   • Increase local security policy

   Changing admin privileges reduces the number of targets whose credentials could be stolen to gain administrative access. Changing caching policy will prevent passwords from being saved in cache memory where they can be stolen.

Source: Varonis