Mimikatz / responder mitigation

  • Last Post 14 September 2015
Ravi.Sabharanjak posted this 11 September 2015

Hi all,
I wanted to ask what mitigation steps you are taking against someone escalating their privileges using some of the tools available such as responder and mimikatz. Seems fairly trivial for someone to become DA with the help of these and then walk off with the DIT etc..
(Something beyond being up to date on security patches - that's not going to nullify such an attack..)
thanks and regards,-Ravi

Order By: Standard | Newest | Votes
kennedyjim posted this 11 September 2015

I’ll start with the easiest and most effective. Mimikatz needs system or local admin to run.  Regular users should have neither. There was a POC at DefCon of

using it via a remote shell to get the currently logged in user who is not a local admin. But it couldn’t get beyond that.  Hopefully no one with DA is logging in locally on anything that could possibly give up a shell.


My feelings on these advanced attacks are pretty well known.  It’s like Mortal Kombat, Mimikatz is the finishing move in the game, you have already lost. You

have to stop phishing, local admin, the ability to pop a remote/local shell….all of those smaller details that are used to get a foot in the door.



RobinG posted this 11 September 2015

Hi Ravi,

I would suggest to start of with taking a look at the document Mitigating Pass The Hash and other Credential Theft.



Robin, MS PFE

Sent from my Windows Phone


RickSheikh posted this 11 September 2015

I would also suggest taking a look at LAPS https://www.microsoft.com/en-us/download/details.aspx?id=46899 as one piece to the possible mitigations. As well as this blog http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx


darren posted this 11 September 2015

I really like some of the stuff Snover & co. have done around PowerShell constrained endpoints and DSC for configuring “Just Enough Administration (JEA)” and

creating safe harbors. This video starts to talk about it but there’s more stuff on the MS site:







danj posted this 14 September 2015

It is pretty cool, although WMF 5.0 seems to have been in preview for ever. Looks like I missed this a couple of weeks back though: They released the ‘production

preview’ (almost GA) on 31st August which means it is supportable (couldn’t really use an unsupported preview for production security controls).








darren posted this 14 September 2015

My understanding is that WMF 5.0 will ship in October (officially) although JEA is not dependent upon WMF 5. They were showing it in 4 as well. It is a bit

disconcerting that they essentially shipped a “non-production” version of WMF and Powershell in Windows 10, but that’s the new CICD world in which we live I suppose