The ability of Mimikatz to extract the NTLM hash of users at runtime from Windows has always fascinated me. Although alternatives exist (as explored in previous blog posts), there may still be situations during Red Team engagements where live credential extraction from LSASS is wanted. In those situations, defense evasion tactics such as heavily modifying Mimikatz or using another implementation of Mimikatz are common.