Read as
Last updated: April 29, 2026
Mimikatz is the tool that defined modern Windows credential attacks. Benjamin Delpy’s 2011 research paper accompanying it single-handedly changed how the security community thinks about Windows auth. This module covers what Mimikatz does, how defenders catch it, and why Credential Guard matters.
Mimikatz is the tool that defined modern Windows credential attacks. Benjamin Delpy’s 2011 research paper accompanying it single-handedly changed how the security community thinks about Windows auth. This module covers what Mimikatz does, how defenders catch it, and why Credential Guard matters.
What it extracts
Mimikatz reads credentials from process memory (primarily LSASS — Local Security Authority Subsystem Service) and from local SAM/SECRETS registry hives. Specifically:
- NTLM hashes of logged-in users (from LSASS)
- Plaintext passwords if WDigest is enabled (legacy — disabled by default in modern Windows)
- Kerberos tickets — TGT and service tickets
- Certificates and their private keys from the cert store
- Local SAM password hashes
- Cached domain credentials (MSCACHE)
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants