Mimikatz
About Modules and Commands
Last updated
About Modules and Commands
Last updated
: This modules deals with the Microsoft Crypto Magic world.
: The Data Protection Application Programming Interface module. Consider this as an opsec safe option for getting credentials.
: this module deals with the Windows Event logs (to clear footprints after compromise).
: This module deals with the kerberos lol.
: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.
: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.
: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.
: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.
: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.
: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.
: The most beloved module of Mimikatz. Even the maker of Mimikatz (Benjamin) has mentioned in the past that one day people will discover that Mimikatz is more than sekurlsa::logonpasswords.
: This module can interact with Windows services plus installing the mimikatzsvc service.
: This module deals with the Security Identifier.
: This module contains some general functionalities which are not related to exploitation.
: This module deals with the Windows tokens (who does not really like elevating to NT AUTHORITY\ SYSTEM).
: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.
: This module dumps passwords saved in the Windows Vault.
crypto::certificates lists or exports certificates
crypto::certtohw tries to export a software CA to a crypto (virtual) hardware
crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
crypto::keys lists or exports key containers
crypto::providers lists cryptographic providers
crypto::sc lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard
crypto::scauth it creates a authentication certificate (smartcard like) from a CA
crypto::stores lists cryptographic stores
crypto::system it describes a Windows System Certificate
crypto::tpminfo displays information for the Microsoft's TPM Platform Crypto Provider
dpapi::blob describes a DPAPI blob and unprotects/decrypts it with API or Masterkey
dpapi::cache displays the credential cache of the DPAPI module
dpapi::capi decrypts a CryptoAPI private key file
dpapi::chrome dumps stored credentials and cookies from Chrome
dpapi::cloudapkd is undocumented at the moment
dpapi::cloudapreg dumps azure credentials by querying the following registry location
dpapi::cng decrypts a given CNG private key file
dpapi::create creates a DPAPI Masterkey file from raw key and metadata
dpapi::credhist describes a Credhist file
dpapi::luna decrypts Safenet LunaHSM KSP
dpapi::masterkey describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directory
dpapi::protect protects data via a DPAPI call
dpapi::ps decrypts PowerShell credentials (PSCredentials or SecureString)
dpapi::rdg decrypts Remote Desktop Gateway saved passwords
dpapi::sccm is used to decrypt saved SCCM credentials
dpapi::ssh extracts OpenSSH private keys
dpapi::wifi decrypts saved Wi-Fi passwords
dpapi::wwman decrypts Wwan credentials
event::clear clears a specified event log
kerberos::hash computes the different types of Kerberos keys for a given password
kerberos::tgt retrieves a TGT (Ticket-Granting Ticket) for the current user
lsadump::cache can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2)
lsadump::changentlm can be used to change the password of a user
lsadump::dcshadow TODO
lsadump::lsa extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly
lsadump::mbc dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates
lsadump::packages lists the available Windows authentication mechanisms
lsadump::postzerologon is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwd
lsadump::trust can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts
net::alias displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etc
net::group displays the local groups
net::if displays the available local IP addresses and the hostname
net::serverinfo displays information about the logged in server
net::share displays the available shares
net::stats displays when the target was booted
net::tod displays the current time
net::trust displays information for the active directory forest trust(s)
net::user displays the local users
privilege::backup requests the backup privilege (SeBackupPrivilege)
privilege::debug requests the debug privilege (SeDebugPrivilege)
privilege::driver requests the load driver privilege (SeLoadDriverPrivilege)
privilege::id requests a privilege by its id
privilege::name requests a privilege by its name
privilege::restore requests the restore privilege (SeRestorePrivilege)
privilege::security requests the security privilege (SeSecurityPrivilege)
privilege::sysenv requests the system environment privilege (SeSystemEnvironmentPrivilege)
privilege::tcb requests the tcb privilege (SeTcbPrivilege)
rpc::close closes remote RPC sessions
rpc::connect connects to an RPC endpoint
rpc::enum enumerates RPC endpoints on a system
rpc::server starts an RPC server
sekurlsa::backupkeys lists the preferred Backup Master keys
sekurlsa::bootkey sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentials
sekurlsa::dpapi lists DPAPI cached masterkeys
sekurlsa::dpapisystem lists the DPAPI_SYSTEM secret key
sekurlsa::ekeys lists Kerberos encryption keys
sekurlsa::kerberos lists Kerberos credentials
sekurlsa::krbtgt retrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashes
sekurlsa::livessp lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistant
sekurlsa::logonpasswords lists all available provider credentials. This usually shows recently logged on user and computer credentials
sekurlsa::minidump can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dump
sekurlsa::trust retrieves the forest trust keys
sekurlsa::tspkg lists TsPkg credentials. This credentials provider is used for Terminal Server Authentication
service::- removes the mimikatzsvc service
service::+ installs the mimikatzsvc service by issuing rpc::server service::me exit
service::preshutdown pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN signal
service::remove removes the specified service (It must be used with caution)
service::resume resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE signal
service::shutdown shuts down a specified service by sending a SERVICE_CONTROL_SHUTDOWN signal
service::start starts a service
service::stop stops a specified service by sending a SERVICE_CONTROL_STOP signal
service::suspend suspends the specified service. It sends a SERVICE_CONTROL_PAUSE signal
sid::add adds a SID to sIDHistory of an object
sid::clear clears the sIDHistory of a target object
sid::lookup looks up an object by its SID or name
sid::modify modifies an object's SID
sid::patch patchs the NTDS (NT Directory Services). It's useful when running id::modify or sid::add
sid::query queries an object by its SID or name
standard::base64 or base64 switches file input/output to base64
standard::cd or cd can change or display the current directory. The changed directory is used for saving files
standard::cls or cls clears the screen
standard::coffee or coffee is the most important command of all
standard::exit or exit quits Mimikatz after clearing routines
standard::hostname or hostname displays system local hostname
standard::localtime or localtime displays system local date and time
standard::log or log logs mimikatz input/output to a file
standard::sleep or sleep make Mimikatz sleep an amount of milliseconds
standard::version or version displays the version in use of Mimikatz
token::elevate can be used to impersonate a token. By default it will elevate permissions to NT AUTHORITY\SYSTEM
token::list lists all tokens on the system
token::revert reverts to the previous token
token::run executes a process with its token
token::whoami displays the current token
ts::logonpasswords extracts clear text credentials from RDP running sessions (server side)
ts::mstsc extracts cleartext credentials from the mstsc process (client side)
ts::multirdp enables multiple RDP connections on the target server
ts::remote performs RDP takeover/hijacking of active sessions
ts::sessions lists the current RDP sessions. It comes in handy for RDP hijacking
vault::cred enumerates vault credentials
vault::list lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user
crypto::capi patches CryptoAPI layer for easy export (Experimental )
crypto::cng patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental )
crypto::extract extracts keys from the CAPI RSA/AES provider (Experimental )
dpapi::cred decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. )
dpapi::tpm decrypts TPM PCP key file ( (PCP))
dpapi::vault decrypts DPAPI vault credentials from the
event::drop patches event services to avoid new events ( experimental)
kerberos::ask can be used to obtain Service Tickets. The Windows native command is
kerberos::clist lists tickets in / ccache format. It can be useful with other tools (i.e. ones that support )
kerberos::golden can be used to . It can also be used for forging inter-realm trust keys
kerberos::list has a similar functionality to command without requiring elevated privileges. Unlike sekurlsa::tickets, this module does not interact with LSASS
kerberos::ptc can be used to . This is similar to that does pass the ticket but is different in the sense that the ticket used is a .ccache ticket instead of a .kirbi one
kerberos::ptt is used for by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket)
kerberos::purge purges all kerberos tickets similar to
lsadump::backupkeys dumps the DPAPI backup keys from the Domain Controller (cf. )
lsadump::dcsync can be used to do a and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol () to request from a domain controller to synchronize a specified entry
lsadump::netsync can be used to act as a Domain Controller on a target by doing a . It then leverages the to request the RC4 key (i.e. NT hash) of the target computer account
lsadump::RpData can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to )
lsadump::sam dumps the local Security Account Manager (SAM) NT hashes (cf. )
lsadump::secrets can be used to from the registries. It retrieves the SysKey to decrypt Secrets entries
lsadump::setntlm can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory scenario
lsadump::zerologon detects and exploits the vulnerability
can be used to dump the Azure Panel's session cookie from login.microsoftonline.com
monitors clipboard. CTRL+C stops the monitoring
launches the command prompt
performs a self compression of mimikatz
is experimental and it tries to enumerate all modules with
is Mimikatz's implementation of the , an authentication coercion technique
locks the screen. It can come in handy with
patches LSASS by injecting a new Security Support Provider (a DLL is registered)
identifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude)
displays Juniper network connect (without route monitoring)
can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key.
can be used to exploit the vulnerability in both [] and []. The bug was discovered by Zhiniang Peng () & Xuefeng Li ()
launches the registry editor
decrypts the password field in the SC_UserAccount table in the SCCM database
is used to list the available shadow copies on the system
injects a "" into the LSASS process on the domain controller
is Mimikat's implementation of the , an authentication coercion technique
launches the task manager
sets up a wallpaper
performs XOR decoding/encoding on a provided file with 0x42 default key
net::deleg checks for the following types of
net::session displays the active sessions through Win32 API function
net::wsession displays the active sessions through Win32 API function
lists all the exported functions from the DLLs each running process is using. If a** **/pid is not specified, then exports for mimikatz.exe will be displayed
lists all the imported functions from the DLLs each running process is using. If a** **/pid is not specified, then imports for mimikatz.exe will be displayed
lists all the running processes. It uses the Windows Native API function
resumes a suspended process by using the Windows Native API function
creates a process by using the Win32 API function. The is also utilized
runs a subprocess under a parent process (Default parent process is LSASS.exe). It can also be used for lateral movement and process spoofing
starts a process by using the Win32 API function. The PID of the process is also displayed
terminates a process by using the Windows Native API function. The Win32 API equal one is
suspends a process by using the Windows Native API function
sekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: . :
sekurlsa::credman lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL ()
sekurlsa::msv dumps and lists the NT hash (and other secrets) by targeting the
sekurlsa::process switches (or reinits) to LSASS process context. It can be used after
sekurlsa::pth performs , and . Upon successful authentication, a program is run (n.b. defaulted to cme.exe)
sekurlsa::ssp lists (SSP) credentials
sekurlsa::tickets lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike , sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users)
sekurlsa::wdigest lists WDigest credentials. According to Microsoft, was introduced in the Windows XP operating system
standard::answer or answer provides an answer to
credits -