Modules
Last updated
Last updated
: This modules deals with the Microsoft Crypto Magic world.
: The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials.
: this module deals with the Windows Event logs (to clear footprints after compromise).
: This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules.
: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.
: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.
: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.
: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.
: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.
: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.
: The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than . Hope we made some effort on this Benjamin.
: This module can interact with Windows services plus installing the mimikatzsvc
service.
: This module deals with the Security Identifier.
: This module contains some general functionalities which are not related to exploitation.
: This module deals with the Windows tokens (who does not really like elevating to NT AUTHORITY\ SYSTEM
).
: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.
: This module dumps passwords saved in the Windows Vault.
patches CryptoAPI layer for easy export (Experimental )
lists or exports certificates
tries to export a software CA to a crypto (virtual) hardware
patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental )
extracts keys from the CAPI RSA/AES provider (Experimental )
hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
lists or exports key containers
lists cryptographic providers
lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard
it creates a authentication certificate (smartcard like) from a CA
lists cryptographic stores
it describes a Windows System Certificate
displays information for the Microsoft's TPM Platform Crypto Provider
describes a DPAPI blob and unprotects/decrypts it with API or Masterkey
displays the credential cache of the DPAPI module
decrypts a CryptoAPI private key file
dumps stored credentials and cookies from Chrome
is undocumented at the moment
dumps azure credentials by querying the following registry location
decrypts a given CNG private key file
creates a DPAPI Masterkey file from raw key and metadata
decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. )
describes a Credhist file
decrypts Safenet LunaHSM KSP
describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directory
protects data via a DPAPI call
decrypts PowerShell credentials (PSCredentials or SecureString)
decrypts Remote Desktop Gateway saved passwords
is used to decrypt saved SCCM credentials
extracts OpenSSH private keys
decrypts TPM PCP key file ( (PCP))
decrypts DPAPI vault credentials from the
decrypts saved Wi-Fi passwords
decrypts Wwan credentials
clears a specified event log
patches event services to avoid new events ( experimental)
can be used to obtain Service Tickets. The Windows native command is
lists tickets in / ccache format. It can be useful with other tools (i.e. ones that support )
can be used to . It can also be used for forging inter-realm trust keys
computes the different types of Kerberos keys for a given password
has a similar functionality to command without requiring elevated privileges. Unlike , this module does not interact with LSASS
can be used to . This is similar to that does pass the ticket but is different in the sense that the ticket used is a .ccache
ticket instead of a .kirbi
one
is used for by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket)
purges all kerberos tickets similar to
retrieves a TGT (Ticket-Granting Ticket) for the current user
dumps the DPAPI backup keys from the Domain Controller (cf. )
can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey
to decrypt NL$KM
(binary protected value) and then MSCache(v1/v2)
can be used to change the password of a user
TODO
can be used to do a and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol () to request from a domain controller to synchronize a specified entry
extracts hashes from memory by asking the LSA server. The patch
or inject
takes place on the fly
dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates
can be used to act as a Domain Controller on a target by doing a . It then leverages the to request the RC4 key (i.e. NT hash) of the target computer account
lists the available Windows authentication mechanisms
is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwd
can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to )
dumps the local Security Account Manager (SAM) NT hashes (cf. )
can be used to from the registries. It retrieves the SysKey
to decrypt Secrets
entries
can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory scenario
can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts
detects and exploits the vulnerability
can be used to dump the Azure Panel's session cookie from login.microsoftonline.com
monitors clipboard. CTRL+C
stops the monitoring
launches the command prompt
performs a self compression of mimikatz
is experimental and it tries to enumerate all modules with
is Mimikatz's implementation of the , an authentication coercion technique
locks the screen. It can come in handy with
patches LSASS by injecting a new Security Support Provider (a DLL is registered)
identifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude)
displays Juniper network connect (without route monitoring)
can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key.
can be used to exploit the vulnerability in both [] and []. The bug was discovered by Zhiniang Peng () & Xuefeng Li ()
launches the registry editor
decrypts the password field in the SC_UserAccount
table in the SCCM database
is used to list the available shadow copies on the system
injects a "" into the LSASS process on the domain controller
is Mimikat's implementation of the , an authentication coercion technique
launches the task manager
sets up a wallpaper
performs XOR decoding/encoding on a provided file with 0x42
default key
displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etc
checks for the following types of
displays the local groups
displays the available local IP addresses and the hostname
displays information about the logged in server
displays the active sessions through Win32 API function
displays the available shares
displays when the target was booted
displays the current time
displays information for the active directory forest trust(s)
displays the local users
displays the active sessions through Win32 API function
requests the backup privilege (SeBackupPrivilege
)
requests the debug privilege (SeDebugPrivilege
)
requests the load driver privilege (SeLoadDriverPrivilege
)
requests a privilege by its id
requests a privilege by its name
requests the restore privilege (SeRestorePrivilege
)
requests the security privilege (SeSecurityPrivilege
)
requests the system environment privilege (SeSystemEnvironmentPrivilege
)
requests the tcb privilege (SeTcbPrivilege
)
lists all the exported functions from the DLLs each running process is using. If a** **/pid
is not specified, then exports for mimikatz.exe
will be displayed
lists all the imported functions from the DLLs each running process is using. If a** **/pid
is not specified, then imports for mimikatz.exe
will be displayed
lists all the running processes. It uses the Windows Native API function
resumes a suspended process by using the Windows Native API function
creates a process by using the Win32 API function. The is also utilized
runs a subprocess under a parent process (Default parent process is LSASS.exe
). It can also be used for lateral movement and process spoofing
starts a process by using the Win32 API function. The PID
of the process is also displayed
terminates a process by using the Windows Native API function. The Win32 API equal one is
suspends a process by using the Windows Native API function
closes remote RPC sessions
connects to an RPC endpoint
enumerates RPC endpoints on a system
starts an RPC server
lists the preferred Backup Master keys
sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentials
lists Azure (Primary Refresh Token) credentials based on the following research: . :
lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL ()
lists DPAPI cached masterkeys
lists the DPAPI_SYSTEM
secret key
lists Kerberos encryption keys
lists Kerberos credentials
retrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashes
lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistant
lists all available provider credentials. This usually shows recently logged on user and computer credentials
can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dump
dumps and lists the NT hash (and other secrets) by targeting the
switches (or reinits) to LSASS process context. It can be used after
performs , and . Upon successful authentication, a program is run (n.b. defaulted to cme.exe
)
lists (SSP) credentials
lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike , sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users)
retrieves the forest trust keys
lists TsPkg credentials. This credentials provider is used for Terminal Server Authentication
lists WDigest credentials. According to Microsoft, was introduced in the Windows XP operating system
removes the mimikatzsvc
service
installs the mimikatzsvc
service by issuing rpc::server service::me exit
pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN
signal
removes the specified service (It must be used with caution)
resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE
signal
shuts down a specified service by sending a SERVICE_CONTROL_SHUTDOWN
signal
starts a service
stops a specified service by sending a SERVICE_CONTROL_STOP
signal
suspends the specified service. It sends a SERVICE_CONTROL_PAUSE
signal
adds a SID to sIDHistory
of an object
clears the sIDHistory
of a target object
looks up an object by its SID or name
modifies an object's SID
patchs the NTDS (NT Directory Services). It's useful when running or
queries an object by its SID or name
or answer
provides an answer to
or base64
switches file input/output to base64
or cd
can change or display the current directory. The changed directory is used for saving files
or cls
clears the screen
or coffee
is the most important command of all
or exit
quits Mimikatz after clearing routines
or hostname
displays system local hostname
or localtime
displays system local date and time
or log
logs mimikatz input/output to a file
or sleep
make Mimikatz sleep an amount of milliseconds
or version
displays the version in use of Mimikatz
can be used to impersonate a token. By default it will elevate permissions to NT AUTHORITY\SYSTEM
lists all tokens on the system
reverts to the previous token
executes a process with its token
displays the current token
extracts clear text credentials from RDP running sessions (server side)
extracts cleartext credentials from the mstsc process (client side)
enables multiple RDP connections on the target server
performs RDP takeover/hijacking of active sessions
lists the current RDP sessions. It comes in handy for RDP hijacking
enumerates vault credentials
lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user