{
	"id": "1997bf36-2308-4797-b5a8-d82699b0767f",
	"created_at": "2026-04-06T00:09:38.352219Z",
	"updated_at": "2026-04-10T03:20:19.410565Z",
	"deleted_at": null,
	"sha1_hash": "664b4459ceef3fbe7ae5cda008d4f838fb76f7ea",
	"title": "Mimikatz Overview, Defenses and Detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 11496637,
	"plain_text": "Mimikatz Overview, Defenses and Detection\r\nBy Created by:James Mulder\r\nArchived: 2026-04-05 14:02:28 UTC\r\nDownload File\r\nMimikatz Overview, Defenses and Detection (PDF, 4.15MB)Published: 29 Feb, 2016\r\nMimikatz has become an extremely effective attack tool against Windows clients, allowing bad actors to retrieve\r\ncleartext passwords, as well as password hashes from memory. This paper will begin with an overview of\r\nMimikatz's capabilities and payloadvectors. Several methods to mitigate the risk posed by Mimikatz will follow,\r\nand the paper will conclude with methods that may be used to detect the presence of Mimikatz.\r\nAdditional resources\r\nRelated courses\r\nSlide 1 of 16\r\nFOR589: Cybercrime Investigations\r\nFOR589Digital Forensics and Incident Response\r\n 5 Days (Instructor-Led)\r\n 30 CPEs / 30 Hours (Self-Paced)\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 1 of 12\n\nLabs: 20 Hands-On Labs\r\nView course detailsRegister\r\nSlide 2 of 16\r\nFOR585: Smartphone Forensic Analysis In-Depth\r\nFOR585Digital Forensics and Incident Response\r\n GIAC Advanced Smartphone Forensics (GASF)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 22 Hands-On Labs\r\nView course detailsRegister\r\nSlide 3 of 16\r\nFOR478: Cyber Threat Intelligence Foundations\r\nFOR478Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 2 of 12\n\n2 Days (Instructor-Led)\r\n 16 CPEs / 16 Hours\r\n Labs: 8 Hands-On Labs\r\nView course detailsRegister\r\nSlide 4 of 16\r\nFOR608: Enterprise-Class Incident Response \u0026 Threat Hunting\r\nFOR608Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 3 of 12\n\nGIAC Enterprise Incident Responder (GEIR)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 20 Hands-On Labs\r\nView course detailsRegister\r\nSlide 5 of 16\r\nFOR518: Mac and iOS Forensic Analysis and Incident Response\r\nFOR518Digital Forensics and Incident Response\r\n GIAC iOS and macOS Examiner (GIME)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 23 Hands-On Labs\r\nView course detailsRegister\r\nSlide 6 of 16\r\nFOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics\r\nFOR508Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 4 of 12\n\nGIAC Certified Forensic Analyst (GCFA)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 35 Hands-On Labs\r\nView course detailsRegister\r\nSlide 7 of 16\r\nFOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques\r\nFOR610Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 5 of 12\n\nGIAC Reverse Engineering Malware (GREM)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 48 Hands-On Labs\r\nView course detailsRegister\r\nSlide 8 of 16\r\nFOR578: Cyber Threat Intelligence\r\nFOR578Digital Forensics and Incident Response\r\n GIAC Cyber Threat Intelligence (GCTI)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 20 Hands-On Labs\r\nView course detailsRegister\r\nSlide 9 of 16\r\nFOR509: Enterprise Cloud Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 6 of 12\n\nFOR509Digital Forensics and Incident Response\r\n GIAC Cloud Forensics Responder (GCFR)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 23 Hands-On Labs\r\nView course detailsRegister\r\nSlide 10 of 16\r\nFOR528: Ransomware and Cyber Extortion\r\nFOR528Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 7 of 12\n\n4 Days (Instructor-Led)\r\n 24 CPEs / 24 Hours (Self-Paced)\r\n Labs: 13 Hands-On Labs\r\nView course detailsRegister\r\nSlide 11 of 16\r\nFOR577: LINUX Incident Response and Threat Hunting\r\nFOR577Digital Forensics and Incident Response\r\n GIAC Linux Incident Responder (GLIR)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 23 Hands-On Labs\r\nView course detailsRegister\r\nSlide 12 of 16\r\nFOR710: Reverse-Engineering Malware: Advanced Code Analysis\r\nFOR710Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 8 of 12\n\n36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 12 Hands-On Labs\r\nView course detailsRegister\r\nSlide 13 of 16\r\nFOR498: Digital Acquisition and Rapid Triage\r\nFOR498Digital Forensics and Incident Response\r\n GIAC Battlefield Forensics and Acquisition (GBFA)\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 9 of 12\n\n6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 20 Hands-On Labs\r\nView course detailsRegister\r\nSlide 14 of 16\r\nFOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large\r\nLanguage Models\r\nFOR563Digital Forensics and Incident Response, Artificial Intelligence\r\n 1 Day (Instructor-Led)\r\n 6 CPEs / 6 Hours (Self-Paced)\r\n Labs: 4 Hands-On Labs\r\nView course detailsRegister\r\nSlide 15 of 16\r\nFOR500: Windows Forensic Analysis\r\nFOR500Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 10 of 12\n\nGIAC Certified Forensic Examiner (GCFE)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 22 Hands-On Labs\r\nView course detailsRegister\r\nSlide 16 of 16\r\nFOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response\r\nFOR572Digital Forensics and Incident Response\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 11 of 12\n\nGIAC Network Forensic Analyst (GNFA)\r\n 6 Days (Instructor-Led)\r\n 36 CPEs / 36 Hours (Self-Paced)\r\n Labs: 20 Hands-On Labs\r\nView course detailsRegister\r\nSource: https://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nhttps://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.sans.org/reading-room/whitepapers/intrusion/mimikatz-overview-defenses-detection-36780"
	],
	"report_names": [
		"mimikatz-overview-defenses-detection-36780"
	],
	"threat_actors": [],
	"ts_created_at": 1775434178,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/664b4459ceef3fbe7ae5cda008d4f838fb76f7ea.pdf",
		"text": "https://archive.orkl.eu/664b4459ceef3fbe7ae5cda008d4f838fb76f7ea.txt",
		"img": "https://archive.orkl.eu/664b4459ceef3fbe7ae5cda008d4f838fb76f7ea.jpg"
	}
}