I’ve used Mimikatz to extract credentials in several ways, all documented in the linked article. You can use cyber deception to seed false credentials to lead attackers where you want, a good way of knowing you’re being attacked…:
[…] This variety of effective tactics are a good reason to be monitoring for indicators of attack (IOAs). Each of these techniques are an attempt to evade brittle detection approaches that only rely on looking at command line options of the executable to infer its purpose or checking for presence of relevant strings in the binary file.
There are a number of techniques that threat actors can employ to access credential information, but enterprises need a level of visibility that allows defenders to also see new techniques being used, even when those techniques are specifically aimed at evading or subverting detection mechanisms.
Indicators of attack focus on behavioural aspects of attacker techniques rather than only on typical indicators of compromise (IOCs) such as file names, hashes or single command line options. Newer IOA procedures grant a level of visibility that allows defenders to see new techniques being used, even when these are specifically aimed at evading or subverting detection mechanisms. This is because IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. […]