Name the six credential-gathering techniques which Mimikatz is able to perform and explain how two of them work.

• Pass-the-hash: It steals password hashes stored in Windows and uses them directly for unauthorized access, bypassing the need to crack passwords.
• Pass-the-ticket: It lets attackers use stolen Kerberos tickets to log into other computers, similar to pass-the-hash.
• Overpass-the-hash (pass-the-key): This technique uses a unique key from a domain controller to impersonate a user.
• Kerberoast golden tickets: Attackers can create a special ticket for a hidden account (KRBTGT) to gain domain admin credentials.
• Kerberoast silver tickets: Similar to pass-the-ticket, it leverages weaknesses in Windows' ticket-granting system for network service authentication.
• Pass-the-cache: This attack, unlike the others, targets Mac/UNIX/Linux systems by using saved and encrypted login data.

#What are four ways we can defend against Mimikatz attacks? Explain how two of the mitigations can stop Mimikatz.

• Restrict admin privileges: Only grant admin privileges to necessary users.
• Disable password caching: Change settings to cache zero recent passwords to prevent Mimikatz from accessing cached passwords in the system registry (found in Windows Settings < Local Policy < Security Options < Interactive Logon).
• Turn off debug privileges: Disable the ability for local admins to debug the system which Mimikatz can exploit.
• Configure additional LSA protection: Consider upgrading to Windows 10 or implementing Microsoft's LSA configuration options to reduce the attack surface for Mimikatz-related authentication attacks.

References:

https://www.varonis.com/blog/what-is-mimikatz