Mimikatz Cheatsheet

TL;DR Mimikatz cheatsheet of things I have found useful in CRTP and the lab.

Welcome to Part I of our cheatsheet series compiled from various courses, labs, stuff we did at work, Google, etc. Most of this was spread out over various howtos. This puts it all in one place. These are cheatsheets, almost no explanation is given, just commands. The links are to howtos that provide background.

Part I: Mimikatz cheatsheet

Part II: Set-Acl cheatsheet

Part III: Get-Acl cheatsheet

Part IV: Enumerating AD cheatsheet

Background

Yes, this info is out there already, most notably Sean Metcalf’s Guide to Mimikatz. This is just my personal cheatsheet for Mimikatz compiled from my notes taken during various labs, the CRTP course, etc.

Please note that I was using Invoke-Mimikatz.ps1 most of the time, therefore my cheatsheet is heavy on commands in that syntax. Generally speaking, if you’re using the *.exe then just run what is inside the quotes. I am also partial to PowerShell_ISE.

Please note that you can run multiple commands with Invoke-Mimikatz.ps1 by simply enclosing the entire thing in single quotes and each command in double quotes. Example:

Please note that Medium often mangles quotations, even in codeblocks. If you copy/paste a command and get an error then re-type the quotes in the CLI.

Running Mimikatz at all

Defender will block an unaltered copy of Mimikatz. Please do NOT rely on this alone in the workplace. Mimikatz is open source and freely available, therefore a dedicated attacker will simply modify it enough to not trip Defender. These researchers did it just to prove a point. Therefore focus on denying an attacker the rights needed to dump credentials. Failing that, focus on basic security hygiene so there isn’t anything usable in the dump.

With that disclaimer out of the way, here is how I have used Mimikatz in labs, CRTP, etc.

Launch PowerShell as admin, add a folder exception to Defender, turn off real time monitoring:

Alternatively you can often get away with just running the AMSI bypass if you can’t turn off Defender. I have used this tactic with PowerView and PowerUp in the past:

Bypassing LSA protection

Additionally, if Mimkatz has an issue with LSA protection this can be disabled by the local admin. If this issue occurs you will likely see something along the lines of

ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

This protection can be disabled by loading a Mimikatz driver, and credentials can then be dumped.

!+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords

Dumping creds with Mimikatz:

This is normally required first if running Mimikatz locally:

Please note that ‘logonpasswords’ lists everything except Credential Manager, as I found out once.

List the sekurlsa commands:

Check Credential Manager for things like saved RDP passwords:

If you are using mimikatz.exe:

Pass-The-Hash (PTH) with Mimikatz

Explanation, lab demo, and mitigations are here.

PTH and launch PowerShell_ISE as that user:

Pass-The-Ticket (PTT) with Mimikatz

Explanation, lab demo, and mitigations are here.

Export & list tickets:

Copy/paste the name of the ticket to elevate with, then:

Confirm privileges:

Show tickets currently in use:

If you are having issues or getting weird errors, purge tickets and try again:

Dump creds remotely with Mimikatz

This only requires that you are running as a Domain User who has local admin rights on the remote system.

DCSync

Explanation & lab demo here.

Grab the krbtgt NTLM

Forge a Golden Ticket using krbtgt hash & domain SID:

Alternatively, save the ticket for future use:

Forge a ticket to use in a trusting domain

In this case we have compromised a child domain and want to escalate to the parent domain. There is a trust relationship between them.

Load the ticket and start using privs in the parent domain:

References

Benjamin Delpy’s github with Mimikatz: https://github.com/ParrotSec/mimikatz

Sean Metcalf’s guide to Mimikatz: https://adsecurity.org/?page_id=1821

Microsoft Docs on klist: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.