Preventing Mimikatz Attacks by Panagiotis Gkatziroulis

Feb 6, 2019

Mimikatz is playing a vital role in every internal penetration test or red team engagement mainly for its capability to extract passwords from memory in clear-text. It is also known that adversaries are using Mimikatz heavily in their operations. Even though that Microsoft introduced a security patch which can be applied even in older operating systems such as Windows 2008 Server still Mimikatz is effective and in a lot of cases it can lead to lateral movement and domain escalation. It should be noted that Mimikatz can only dump credentials and password hashes if it is executed from the context of a privilege user like local administrator.

Debug Privilege

The debug privilege according to Microsoft determines which users can attach a debugger to any process or to the kernel. By default this privilege is given to Local Administrators. However it is highly unlikely that a Local Administrator will need this privilege unless he is a system programmer.

Debug programs privilege — Local Administrators 

In a default installation of Windows Server 2016 the group policy is not defined which means that only Local Administrators have this permission.

Read the rest of this story with a free account.

Already have an account? Sign in

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023