dpapi: The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials.kerberos: This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules.lsadump: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.misc: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.net: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.privilege: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.process: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.rpc: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely. sekurlsa: The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than sekurlsa::logonpasswords. Hope we made some effort on this Benjamin.standard: This module contains some general functionalities which are not related to exploitation.token: This module deals with the Windows tokens (who does not really like elevating to NT AUTHORITY\ SYSTEM).ts: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords. crypto::cng patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional valuecrypto::sc lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcarddpapi::cred decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. dumping DPAPI secrets)dpapi::masterkey describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directorykerberos::clist lists tickets in MIT/Heimdall ccache format. It can be useful with other tools (i.e. ones that support Pass the Cache)kerberos::golden can be used to forge golden and silver tickets. It can also be used for forging inter-realm trust keyskerberos::list has a similar functionality to klist command without requiring elevated privileges. Unlike sekurlsa::tickets, this module does not interact with LSASSkerberos::ptc can be used to pass the cache. This is similar to kerberos::ptt that does pass the ticket but is different in the sense that the ticket used is a .ccache ticket instead of a .kirbi onekerberos::ptt is used for passing the ticket by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket)lsadump::backupkeys dumps the DPAPI backup keys from the Domain Controller (cf. dumping DPAPI secrets)lsadump::cache can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2)lsadump::dcsync can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entrylsadump::lsa extracts hashes from memory by asking the LSA server. The patch or inject takes place on the flylsadump::mbc dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificateslsadump::netsync can be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer accountlsadump::postzerologon is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwdlsadump::RpData can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to lsadump::secrets can be used to dump LSA secrets from the registries. It retrieves the SysKey to decrypt Secrets entrieslsadump::setntlm can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenariolsadump::trust can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trustsmisc::aadcookie can be used to dump the Azure Panel's session cookie from login.microsoftonline.commisc::efs is Mimikatz's implementation of the MS-EFSR abuse (PetitPotam), an authentication coercion techniquemisc::mflt identifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude)misc::ngcsign can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key.misc::printnightmare can be used to exploit the PrintNightMare vulnerability in both [MS-RPRN RpcAddPrinterDriverEx] and [MS-PAR AddPrinterDriverEx]. The bug was discovered by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)misc::spooler is Mimikat's implementation of the MS-RPRN abuse (PrinterBug), an authentication coercion techniquenet::alias displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etcprocess::exports lists all the exported functions from the DLLs each running process is using. If a** **/pid is not specified, then exports for mimikatz.exe will be displayedprocess::imports lists all the imported functions from the DLLs each running process is using. If a** **/pid is not specified, then imports for mimikatz.exe will be displayedprocess::list lists all the running processes. It uses the NtQuerySystemInformation Windows Native API functionprocess::resume resumes a suspended process by using the NtResumeProcess Windows Native API functionprocess::run creates a process by using the CreateProcessAsUser Win32 API function. The CreateEnvironmentBlock is also utilizedprocess::runp runs a subprocess under a parent process (Default parent process is LSASS.exe). It can also be used for lateral movement and process spoofingprocess::start starts a process by using the CreateProcess Win32 API function. The PID of the process is also displayedprocess::stop terminates a process by using the NtTerminateProcess Windows Native API function. The Win32 API equal one is TerminateProcessโsekurlsa::bootkey sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentialssekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:sekurlsa::credman lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL (lsasrv.dll)sekurlsa::livessp lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistantsekurlsa::logonpasswords lists all available provider credentials. This usually shows recently logged on user and computer credentialssekurlsa::minidump can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dumpsekurlsa::msv dumps and lists the NT hash (and other secrets) by targeting the MSV1_0 Authentication Packageโsekurlsa::process switches (or reinits) to LSASS process context. It can be used after sekurlsa::minidumpโsekurlsa::pth performs Pass-the-Hash, Pass-the-Key and Over-Pass-the-Hash. Upon successful authentication, a program is run (n.b. defaulted to cme.exe)sekurlsa::tickets lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users)sekurlsa::tspkg lists TsPkg credentials. This credentials provider is used for Terminal Server Authenticationsekurlsa::wdigest lists WDigest credentials. According to Microsoft, WDigest.dll was introduced in the Windows XP operating systemservice::preshutdown pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN signalservice::resume resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE signalsid::patch patchs the NTDS (NT Directory Services). It's useful when running id::modify or sid::addโstandard::answer or answer provides an answer to The Ultimate Question of Life, the Universe, and Everything! standard::cd or cd can change or display the current directory. The changed directory is used for saving filestoken::elevate can be used to impersonate a token. By default it will elevate permissions to NT AUTHORITY\SYSTEMvault::list lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user