Mimikatz
About Modules and Commands
Modules -
crypto: This modules deals with the Microsoft Crypto Magic world.dpapi: The Data Protection Application Programming Interface module. Consider this as an opsec safe option for getting credentials.event: this module deals with the Windows Event logs (to clear footprints after compromise).kerberos: This module deals with the kerberos lol.lsadump: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.misc: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.net: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.privilege: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.process: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.rpc: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.sekurlsa: The most beloved module of Mimikatz. Even the maker of Mimikatz (Benjamin) has mentioned in the past that one day people will discover that Mimikatz is more thansekurlsa::logonpasswords.service: This module can interact with Windows services plus installing themimikatzsvcservice.sid: This module deals with the Security Identifier.standard: This module contains some general functionalities which are not related to exploitation.token: This module deals with the Windows tokens (who does not really like elevating toNT AUTHORITY\ SYSTEM).ts: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.vault: This module dumps passwords saved in the Windows Vault.
Commands -
crypto
crypto::capipatches CryptoAPI layer for easy export (Experimental ⚠️)crypto::certificateslists or exports certificatescrypto::certtohwtries to export a software CA to a crypto (virtual) hardwarecrypto::cngpatches the CNG (Cryptography API: Next Generation) service for easy export (Experimental ⚠️)crypto::extractextracts keys from the CAPI RSA/AES provider (Experimental ⚠️)crypto::hashhashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional valuecrypto::keyslists or exports key containerscrypto::providerslists cryptographic providerscrypto::sclists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcardcrypto::scauthit creates a authentication certificate (smartcard like) from a CAcrypto::storeslists cryptographic storescrypto::systemit describes a Windows System Certificatecrypto::tpminfodisplays information for the Microsoft's TPM Platform Crypto Provider
dpapi
dpapi::blobdescribes a DPAPI blob and unprotects/decrypts it with API or Masterkeydpapi::cachedisplays the credential cache of the DPAPI moduledpapi::capidecrypts a CryptoAPI private key filedpapi::chromedumps stored credentials and cookies from Chromedpapi::cloudapkdis undocumented at the momentdpapi::cloudapregdumps azure credentials by querying the following registry locationdpapi::cngdecrypts a given CNG private key filedpapi::createcreates a DPAPI Masterkey file from raw key and metadatadpapi::creddecrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. dumping DPAPI secrets)dpapi::credhistdescribes a Credhist filedpapi::lunadecrypts Safenet LunaHSM KSPdpapi::masterkeydescribes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directorydpapi::protectprotects data via a DPAPI calldpapi::psdecrypts PowerShell credentials (PSCredentials or SecureString)dpapi::rdgdecrypts Remote Desktop Gateway saved passwordsdpapi::sccmis used to decrypt saved SCCM credentialsdpapi::sshextracts OpenSSH private keysdpapi::tpmdecrypts TPM PCP key file (Microsoft's TPM Platform Crypto Provider (PCP))dpapi::vaultdecrypts DPAPI vault credentials from the Credential Storedpapi::wifidecrypts saved Wi-Fi passwordsdpapi::wwmandecrypts Wwan credentials
event
event::clearclears a specified event logevent::droppatches event services to avoid new events ( ⚠️ experimental)
kerberos
kerberos::askcan be used to obtain Service Tickets. The Windows native command isklist getkerberos::clistlists tickets in MIT/Heimdall ccache format. It can be useful with other tools (i.e. ones that support Pass the Cache)kerberos::goldencan be used to forge golden and silver tickets. It can also be used for forging inter-realm trust keyskerberos::hashcomputes the different types of Kerberos keys for a given passwordkerberos::listhas a similar functionality toklistcommand without requiring elevated privileges. Unlikesekurlsa::tickets, this module does not interact with LSASSkerberos::ptccan be used to pass the cache. This is similar tokerberos::pttthat does pass the ticket but is different in the sense that the ticket used is a.ccacheticket instead of a.kirbionekerberos::pttis used for passing the ticket by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket)kerberos::purgepurges all kerberos tickets similar toklist purgekerberos::tgtretrieves a TGT (Ticket-Granting Ticket) for the current user
lsadump
lsadump::backupkeysdumps the DPAPI backup keys from the Domain Controller (cf. dumping DPAPI secrets)lsadump::cachecan be used to enumerate Domain Cached Credentials from registry. It does so by acquiring theSysKeyto decryptNL$KM(binary protected value) and thenMSCache(v1/v2)lsadump::changentlmcan be used to change the password of a userlsadump::dcshadowTODOlsadump::lsaextracts hashes from memory by asking the LSA server. Thepatchorinjecttakes place on the flylsadump::mbcdumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificateslsadump::netsynccan be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer accountlsadump::packageslists the available Windows authentication mechanismslsadump::postzerologonis a procedure to update AD domain password and its local stored password remotely mimicnetdom resetpwdlsadump::RpDatacan retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to 🤷♂️)lsadump::samdumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump)lsadump::secretscan be used to dump LSA secrets from the registries. It retrieves theSysKeyto decryptSecretsentrieslsadump::setntlmcan be used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenariolsadump::trustcan be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trustslsadump::zerologondetects and exploits the ZeroLogon vulnerability
misc
misc::aadcookiecan be used to dump the Azure Panel's session cookie fromlogin.microsoftonline.commisc::clipmonitors clipboard.CTRL+Cstops the monitoringmisc::cmdlaunches the command promptmisc::compressperforms a self compression of mimikatzmisc::detoursis experimental and it tries to enumerate all modules with Detours-like hooksmisc::efsis Mimikatz's implementation of the MS-EFSR abuse (PetitPotam), an authentication coercion techniquemisc::locklocks the screen. It can come in handy withmisc::memsspmisc::memssppatches LSASS by injecting a new Security Support Provider (a DLL is registered)misc::mfltidentifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude)misc::ncroutemondisplays Juniper network connect (without route monitoring)misc::ngcsigncan be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key.misc::printnightmarecan be used to exploit the PrintNightMare vulnerability in both [MS-RPRN RpcAddPrinterDriverEx] and [MS-PAR AddPrinterDriverEx]. The bug was discovered by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)misc::regeditlaunches the registry editormisc::sccmdecrypts the password field in theSC_UserAccounttable in the SCCM databasemisc::shadowcopiesis used to list the available shadow copies on the systemmisc::skeletoninjects a "Skeleton Key" into the LSASS process on the domain controllermisc::spooleris Mimikat's implementation of the MS-RPRN abuse (PrinterBug), an authentication coercion techniquemisc::taskmgrlaunches the task managermisc::wpsets up a wallpapermisc::xorperforms XOR decoding/encoding on a provided file with0x42default key
net
net::aliasdisplays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etcnet::delegchecks for the following types of Kerberos delegationsnet::groupdisplays the local groupsnet::ifdisplays the available local IP addresses and the hostnamenet::serverinfodisplays information about the logged in servernet::sessiondisplays the active sessions through NetSessionEnum() Win32 API functionnet::sharedisplays the available sharesnet::statsdisplays when the target was bootednet::toddisplays the current timenet::trustdisplays information for the active directory forest trust(s)net::userdisplays the local usersnet::wsessiondisplays the active sessions through NetWkstaUserEnum() Win32 API function
privilege
privilege::backuprequests the backup privilege (SeBackupPrivilege)privilege::debugrequests the debug privilege (SeDebugPrivilege)privilege::driverrequests the load driver privilege (SeLoadDriverPrivilege)privilege::idrequests a privilege by itsidprivilege::namerequests a privilege by its nameprivilege::restorerequests the restore privilege (SeRestorePrivilege)privilege::securityrequests the security privilege (SeSecurityPrivilege)privilege::sysenvrequests the system environment privilege (SeSystemEnvironmentPrivilege)privilege::tcbrequests the tcb privilege (SeTcbPrivilege)
process
process::exportslists all the exported functions from the DLLs each running process is using. If a** **/pidis not specified, then exports formimikatz.exewill be displayedprocess::importslists all the imported functions from the DLLs each running process is using. If a** **/pidis not specified, then imports formimikatz.exewill be displayedprocess::listlists all the running processes. It uses the NtQuerySystemInformation Windows Native API functionprocess::resumeresumes a suspended process by using the NtResumeProcess Windows Native API functionprocess::runcreates a process by using the CreateProcessAsUser Win32 API function. The CreateEnvironmentBlock is also utilizedprocess::runpruns a subprocess under a parent process (Default parent process isLSASS.exe). It can also be used for lateral movement and process spoofingprocess::startstarts a process by using the CreateProcess Win32 API function. ThePIDof the process is also displayedprocess::stopterminates a process by using the NtTerminateProcess Windows Native API function. The Win32 API equal one is TerminateProcessprocess::suspendsuspends a process by using the NtSuspendProcess Windows Native API function
rpc
rpc::closecloses remote RPC sessionsrpc::connectconnects to an RPC endpointrpc::enumenumerates RPC endpoints on a systemrpc::serverstarts an RPC server
sekurlsa
sekurlsa::backupkeyslists the preferred Backup Master keyssekurlsa::bootkeysets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentialssekurlsa::cloudaplists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:sekurlsa::credmanlists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL (lsasrv.dll)sekurlsa::dpapilists DPAPI cached masterkeyssekurlsa::dpapisystemlists theDPAPI_SYSTEMsecret keysekurlsa::ekeyslists Kerberos encryption keyssekurlsa::kerberoslists Kerberos credentialssekurlsa::krbtgtretrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashessekurlsa::livessplists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistantsekurlsa::logonpasswordslists all available provider credentials. This usually shows recently logged on user and computer credentialssekurlsa::minidumpcan be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dumpsekurlsa::msvdumps and lists the NT hash (and other secrets) by targeting the MSV1_0 Authentication Packagesekurlsa::processswitches (or reinits) to LSASS process context. It can be used aftersekurlsa::minidumpsekurlsa::pthperforms Pass-the-Hash, Pass-the-Key and Over-Pass-the-Hash. Upon successful authentication, a program is run (n.b. defaulted tocme.exe)sekurlsa::ssplists Security Support Provider (SSP) credentialssekurlsa::ticketslists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlikekerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users)sekurlsa::trustretrieves the forest trust keyssekurlsa::tspkglists TsPkg credentials. This credentials provider is used for Terminal Server Authenticationsekurlsa::wdigestlists WDigest credentials. According to Microsoft, WDigest.dll was introduced in the Windows XP operating system
service
service::-removes themimikatzsvcserviceservice::+installs themimikatzsvcservice by issuingrpc::server service::me exitservice::preshutdownpre-shuts down a specified service by sending aSERVICE_CONTROL_PRESHUTDOWNsignalservice::removeremoves the specified service (It must be used with caution)service::resumeresumes a specified service, after successful suspending, by sending aSERVICE_CONTROL_CONTINUEsignalservice::shutdownshuts down a specified service by sending aSERVICE_CONTROL_SHUTDOWNsignalservice::startstarts a serviceservice::stopstops a specified service by sending aSERVICE_CONTROL_STOPsignalservice::suspendsuspends the specified service. It sends aSERVICE_CONTROL_PAUSEsignal
sid
sid::addadds a SID tosIDHistoryof an objectsid::clearclears thesIDHistoryof a target objectsid::lookuplooks up an object by its SID or namesid::modifymodifies an object's SIDsid::patchpatchs the NTDS (NT Directory Services). It's useful when runningid::modifyorsid::addsid::queryqueries an object by its SID or name
standard
standard::answeroranswerprovides an answer to The Ultimate Question of Life, the Universe, and Everything! 🌠standard::base64orbase64switches file input/output to base64standard::cdorcdcan change or display the current directory. The changed directory is used for saving filesstandard::clsorclsclears the screenstandard::coffeeorcoffeeis the most important command of allstandard::exitorexitquits Mimikatz after clearing routinesstandard::hostnameorhostnamedisplays system local hostnamestandard::localtimeorlocaltimedisplays system local date and timestandard::logorloglogs mimikatz input/output to a filestandard::sleeporsleepmake Mimikatz sleep an amount of millisecondsstandard::versionorversiondisplays the version in use of Mimikatz
token
token::elevatecan be used to impersonate a token. By default it will elevate permissions toNT AUTHORITY\SYSTEMtoken::listlists all tokens on the systemtoken::revertreverts to the previous tokentoken::runexecutes a process with its tokentoken::whoamidisplays the current token
ts
ts::logonpasswordsextracts clear text credentials from RDP running sessions (server side)ts::mstscextracts cleartext credentials from the mstsc process (client side)ts::multirdpenables multiple RDP connections on the target serverts::remoteperforms RDP takeover/hijacking of active sessionsts::sessionslists the current RDP sessions. It comes in handy for RDP hijacking
vault
vault::credenumerates vault credentialsvault::listlists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user
Last updated