crypto: This modules deals with the Microsoft Crypto Magic world.
dpapi: The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials.
event: this module deals with the Windows Event logs (to clear footprints after compromise).
kerberos: This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules.
lsadump: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.
misc: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.
net: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.
privilege: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.
process: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.
rpc: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.
sekurlsa: The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than
sekurlsa::logonpasswords. Hope we made some effort on this Benjamin.
service: This module can interact with Windows services plus installing the
sid: This module deals with the Security Identifier.
standard: This module contains some general functionalities which are not related to exploitation.
token: This module deals with the Windows tokens (who does not really like elevating to
NT AUTHORITY\ SYSTEM).
ts: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.
vault: This module dumps passwords saved in the Windows Vault.
crypto::capi patches CryptoAPI layer for easy export (Experimental )
crypto::cng patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental )
crypto::extract extracts keys from the CAPI RSA/AES provider (Experimental )
crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value
crypto::sc lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard
crypto::scauth it creates a authentication certificate (smartcard like) from a CA
crypto::tpminfo displays information for the Microsoft's TPM Platform Crypto Provider
event::drop patches event services to avoid new events ( experimental)
lsadump::cache can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the
SysKey to decrypt
NL$KM (binary protected value) and then
lsadump::dcsync can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entry
lsadump::lsa extracts hashes from memory by asking the LSA server. The
inject takes place on the fly
lsadump::mbc dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates
lsadump::netsync can be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer account
lsadump::postzerologon is a procedure to update AD domain password and its local stored password remotely mimic
lsadump::RpData can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to )
lsadump::trust can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts
service::+ installs the
mimikatzsvc service by issuing
rpc::server service::me exit
service::preshutdown pre-shuts down a specified service by sending a
service::remove removes the specified service (It must be used with caution)
service::resume resumes a specified service, after successful suspending, by sending a
service::shutdown shuts down a specified service by sending a
service::stop stops a specified service by sending a
service::suspend suspends the specified service. It sends a
ts::logonpasswords extracts clear text credentials from RDP running sessions (server side)
ts::mstsc extracts cleartext credentials from the mstsc process (client side)
ts::multirdp enables multiple RDP connections on the target server
ts::remote performs RDP takeover/hijacking of active sessions
ts::sessions lists the current RDP sessions. It comes in handy for RDP hijacking
vault::list lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user