Skip to main content
Support

Mimikatz: LSASS Dump

Extract Credentials from Memory

Mimikatz extracts plaintext passwords, NTLM hashes, and Kerberos tickets directly from LSASS process memory on a compromised host.

Intermediate~5 minT1003.001
Prerequisites:Local administrator on target hostMimikatz.exe or equivalent toolDebug privileges (SeDebugPrivilege)
1

Launch Mimikatz with Elevated Privileges

Mimikatz: LSASS Dump — Step 1/4
C:\Tools>

Click or press Enter to skip

Step 1: Launch Mimikatz

Mimikatz is the single most impactful offensive security tool in AD history. Created by Benjamin Delpy in 2011, it demonstrated that Windows stores credentials in memory in extractable ways.

We are launching the Mimikatz tool on a machine where we already have administrator access. Think of it like opening a locksmith's toolkit — the real work happens in the next steps.

Detection Events
4688Process creation (mimikatz.exe)
Attack Flow
Attacker(Local Admin)
CompromisedWorkstation
DomainController
Mimikatz
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org