Mimikatz is a crucial tool for conducting internal penetration tests and red team engagements due to its ability to extract passwords from memory in clear-text. Unfortunately, even adversaries have recognized its effectiveness and are using it in their operations. Despite Microsoft’s introduction of a security patch that can be applied to older operating systems like Windows 2008 Server, Mimikatz remains a potent tool that can facilitate lateral movement and domain escalation. However, it’s important to note that Mimikatz can only dump credentials and password hashes if it’s executed from the context of a privileged user, like a local administrator.<\/p>\n\n\n\n
Debug Privilege <\/strong><\/p>\n\n\n\n
Microsoft defines the debug privilege as the permission to attach a debugger to any process or the kernel. By default, this privilege is granted to Local Administrators. However, it’s uncommon for a Local Administrator to require this privilege unless they are a system programmer.<\/p>\n\n\n
\n<\/figure>\n<\/div>\n\n\n
Debug programs privilege \u2014 Local Administrators <\/em><\/p>\n\n\n\n
By default, in a Windows Server 2016 installation, the group policy defining the debug privilege is not enabled, meaning only Local Administrators have this permission. However, from an attacker's perspective, it's possible to check for this privilege using Mimikatz and the following command:<\/pre>\n\n\n\n
Mimikatz needs the debug privilege to interact with processes such as LSASS. Therefore, it’s crucial to grant this privilege only to the specific group of people who require it and remove it from Local Administrators. The SeDebugPrivilege can be disabled by defining the policy with no users or groups.<\/p>\n\n\n\n
Group Policy Management Editor -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Debug programs -> Remove Administrators -> Apply & OK -> A restart required to apply this change.<\/strong><\/pre>\n\n\n
\n<\/figure>\n<\/div>\n\n\n
If the new policy is applied across the domain, an attacker who has escalated their privilege to local administrator will no longer be able to use the debug privilege. Mimikatz will return the following message <\/p>\n\n\n
Mimikatz is a crucial tool for conducting internal penetration tests and red team engagements due to its ability to extract passwords from memory in clear-text. Unfortunately, even adversaries have recognized its effectiveness and are using it in their operations. Despite Microsoft’s introduction of a security patch that can be applied to older operating systems like…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[14,13,6],"class_list":["post-72","post","type-post","status-publish","format-standard","hentry","category-soc","tag-credentials-dumping","tag-mimikatz","tag-soc"],"yoast_head":"\n
Mitigating Mimikatz<\/title>\n<meta name=\"description\" content=\"Microsoft defines the debug privilege as the permission to attach a debugger to any process or the kernel. By default, this privilege is granted to Local Administrators. However, it's uncommon for a Local Administrator to require this privilege unless they are a system programmer. Mitigating Mimikatz Attacks Prevent mimikatz\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mitigating Mimikatz\" \/>\n<meta property=\"og:description\" content=\"Microsoft defines the debug privilege as the permission to attach a debugger to any process or the kernel. By default, this privilege is granted to Local Administrators. However, it's uncommon for a Local Administrator to require this privilege unless they are a system programmer. Mitigating Mimikatz Attacks Prevent mimikatz\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Sina Mohebi\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-25T10:19:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-27T17:21:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled-1024x584.jpg\" \/>\n<meta name=\"author\" content=\"Sina\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sina\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/\"},\"author\":{\"name\":\"Sina\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"headline\":\"Mitigating Mimikatz Attacks\",\"datePublished\":\"2023-05-25T10:19:15+00:00\",\"dateModified\":\"2023-05-27T17:21:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/\"},\"wordCount\":243,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"image\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled-1024x584.jpg\",\"keywords\":[\"credentials dumping\",\"mimikatz\",\"SOC\"],\"articleSection\":[\"SOC\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/\",\"url\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/\",\"name\":\"Mitigating Mimikatz\",\"isPartOf\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled-1024x584.jpg\",\"datePublished\":\"2023-05-25T10:19:15+00:00\",\"dateModified\":\"2023-05-27T17:21:42+00:00\",\"description\":\"Microsoft defines the debug privilege as the permission to attach a debugger to any process or the kernel. By default, this privilege is granted to Local Administrators. However, it's uncommon for a Local Administrator to require this privilege unless they are a system programmer. Mitigating Mimikatz Attacks Prevent mimikatz\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage\",\"url\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled.jpg\",\"contentUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled.jpg\",\"width\":1820,\"height\":1038},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.sinamohebi.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mitigating Mimikatz Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#website\",\"url\":\"https:\/\/blog.sinamohebi.com\/\",\"name\":\"Sina Mohebi's Blog\",\"description\":\"Home for Security analysts\",\"publisher\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.sinamohebi.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd\",\"name\":\"Sina\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png\",\"contentUrl\":\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png\",\"width\":1196,\"height\":842,\"caption\":\"Sina\"},\"logo\":{\"@id\":\"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/\"},\"sameAs\":[\"https:\/\/blog.sinamohebi.com\",\"https:\/\/www.linkedin.com\/in\/sinamohebi\/\"],\"url\":\"https:\/\/blog.sinamohebi.com\/index.php\/author\/sina\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mitigating Mimikatz","description":"Microsoft defines the debug privilege as the permission to attach a debugger to any process or the kernel. By default, this privilege is granted to Local Administrators. However, it's uncommon for a Local Administrator to require this privilege unless they are a system programmer. Mitigating Mimikatz Attacks Prevent mimikatz","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Mitigating Mimikatz","og_description":"Microsoft defines the debug privilege as the permission to attach a debugger to any process or the kernel. By default, this privilege is granted to Local Administrators. However, it's uncommon for a Local Administrator to require this privilege unless they are a system programmer. Mitigating Mimikatz Attacks Prevent mimikatz","og_url":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/","og_site_name":"Sina Mohebi","article_published_time":"2023-05-25T10:19:15+00:00","article_modified_time":"2023-05-27T17:21:42+00:00","og_image":[{"url":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled-1024x584.jpg","type":"","width":"","height":""}],"author":"Sina","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sina","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#article","isPartOf":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/"},"author":{"name":"Sina","@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"headline":"Mitigating Mimikatz Attacks","datePublished":"2023-05-25T10:19:15+00:00","dateModified":"2023-05-27T17:21:42+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/"},"wordCount":243,"commentCount":0,"publisher":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"image":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled-1024x584.jpg","keywords":["credentials dumping","mimikatz","SOC"],"articleSection":["SOC"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/","url":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/","name":"Mitigating Mimikatz","isPartOf":{"@id":"https:\/\/blog.sinamohebi.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage"},"image":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled-1024x584.jpg","datePublished":"2023-05-25T10:19:15+00:00","dateModified":"2023-05-27T17:21:42+00:00","description":"Microsoft defines the debug privilege as the permission to attach a debugger to any process or the kernel. By default, this privilege is granted to Local Administrators. However, it's uncommon for a Local Administrator to require this privilege unless they are a system programmer. Mitigating Mimikatz Attacks Prevent mimikatz","breadcrumb":{"@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#primaryimage","url":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled.jpg","contentUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled.jpg","width":1820,"height":1038},{"@type":"BreadcrumbList","@id":"https:\/\/blog.sinamohebi.com\/index.php\/2023\/05\/25\/mitigating-mimikatz-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.sinamohebi.com\/"},{"@type":"ListItem","position":2,"name":"Mitigating Mimikatz Attacks"}]},{"@type":"WebSite","@id":"https:\/\/blog.sinamohebi.com\/#website","url":"https:\/\/blog.sinamohebi.com\/","name":"Sina Mohebi's Blog","description":"Home for Security analysts","publisher":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.sinamohebi.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/575343750c06d8fbdc957140756823dd","name":"Sina","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/","url":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png","contentUrl":"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/blog-logo.png","width":1196,"height":842,"caption":"Sina"},"logo":{"@id":"https:\/\/blog.sinamohebi.com\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/blog.sinamohebi.com","https:\/\/www.linkedin.com\/in\/sinamohebi\/"],"url":"https:\/\/blog.sinamohebi.com\/index.php\/author\/sina\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/72","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/comments?post=72"}],"version-history":[{"count":7,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/72\/revisions"}],"predecessor-version":[{"id":102,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/posts\/72\/revisions\/102"}],"wp:attachment":[{"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/media?parent=72"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/categories?post=72"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.sinamohebi.com\/index.php\/wp-json\/wp\/v2\/tags?post=72"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/Untitled-1024x584.jpg\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/image.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/blog.sinamohebi.com\/wp-content\/uploads\/2023\/05\/image-1.png\")
<\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"