Mimikatz

The extracting-credentials-from-memory-dump skill helps analyze Windows memory dumps for NTLM hashes, LSA secrets, Kerberos material, and tokens using Volatility 3 and pypykatz workflows. It is built for Digital Forensics and incident response when you need defensible evidence, account impact, and remediation guidance from a valid dump.

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

detecting-golden-ticket-forgery detects Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769, RC4 downgrade use (0x17), abnormal ticket lifetimes, and krbtgt anomalies in Splunk and Elastic. Built for Security Audit, incident investigation, and threat hunting with practical detection guidance.

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

deploying-active-directory-honeytokens helps defenders plan and generate Active Directory honeytokens for Security Audit work, including fake privileged accounts, fake SPNs for Kerberoasting detection, decoy GPO traps, and deceptive BloodHound paths. It pairs installation-oriented guidance with scripts and telemetry cues for practical deployment and review.

conducting-pass-the-ticket-attack is a Security Audit and red-team skill for planning and documenting Pass-the-Ticket workflows. It helps you review Kerberos tickets, map detection signals, and produce a structured validation or report flow using the conducting-pass-the-ticket-attack skill.

conducting-domain-persistence-with-dcsync guide for authorized Active Directory security audit work. Learn install, usage, and workflow notes to assess DCSync rights, KRBTGT exposure, Golden Ticket risk, and remediation steps using the included scripts, references, and report template.