# Modules ## Modules * [`crypto`](#crypto): This modules deals with the Microsoft Crypto Magic world. * [`dpapi`](#dpapi): The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials. * [`event`](#event): this module deals with the Windows Event logs (to clear footprints after compromise). * [`kerberos`](#kerberos): This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules. * [`lsadump`](#lsadump): this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets. * [`misc`](#misc): The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others. * [`net`](#net): some functionalities in this module are similar to the Windows **net** commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included. * [`privilege`](#privilege): This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS. * [`process`](#process): This module deal with Windows processes. It can also be used for process injection and parent process spoofing. * [`rpc`](#rpc): The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely. * [`sekurlsa`](#sekurlsa): The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than [`sekurlsa::logonpasswords`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/logonpasswords). Hope we made some effort on this Benjamin. * [`service`](#service): This module can interact with Windows services plus installing the `mimikatzsvc` service. * [`sid`](#sid): This module deals with the Security Identifier. * [`standard`](#standard): This module contains some general functionalities which are not related to exploitation. * [`token`](#token): This module deals with the Windows tokens (who does not really like elevating to `NT AUTHORITY\ SYSTEM`). * [`ts`](#ts): This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords. * [`vault`](#vault): This module dumps passwords saved in the Windows Vault. ## Commands ### crypto * [`crypto::capi`](https://tools.thehacker.recipes/mimikatz/modules/crypto/capi) patches CryptoAPI layer for easy export (Experimental :warning:) * [`crypto::certificates`](https://tools.thehacker.recipes/mimikatz/modules/crypto/certificates) lists or exports certificates * [`crypto::certtohw`](https://tools.thehacker.recipes/mimikatz/modules/crypto/certtohw) tries to export a software CA to a crypto (virtual) hardware * [`crypto::cng`](https://tools.thehacker.recipes/mimikatz/modules/crypto/cng) patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental :warning:) * [`crypto::extract`](https://tools.thehacker.recipes/mimikatz/modules/crypto/extract) extracts keys from the CAPI RSA/AES provider (Experimental :warning:) * [`crypto::hash`](https://tools.thehacker.recipes/mimikatz/modules/crypto/hash) hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value * [`crypto::keys`](https://tools.thehacker.recipes/mimikatz/modules/crypto/keys) lists or exports key containers * [`crypto::providers`](https://tools.thehacker.recipes/mimikatz/modules/crypto/providers) lists cryptographic providers * [`crypto::sc`](https://tools.thehacker.recipes/mimikatz/modules/crypto/sc) lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard * [`crypto::scauth`](https://tools.thehacker.recipes/mimikatz/modules/crypto/scauth) it creates a authentication certificate (smartcard like) from a CA * [`crypto::stores`](https://tools.thehacker.recipes/mimikatz/modules/crypto/stores) lists cryptographic stores * [`crypto::system`](https://tools.thehacker.recipes/mimikatz/modules/crypto/system) it describes a Windows System Certificate * [`crypto::tpminfo`](https://tools.thehacker.recipes/mimikatz/modules/crypto/tpminfo) displays information for the Microsoft's TPM Platform Crypto Provider ### dpapi * [`dpapi::blob`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/blob) describes a DPAPI blob and unprotects/decrypts it with API or Masterkey * [`dpapi::cache`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cache) displays the credential cache of the DPAPI module * [`dpapi::capi`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/capi) decrypts a CryptoAPI private key file * [`dpapi::chrome`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/chrome) dumps stored credentials and cookies from Chrome * [`dpapi::cloudapkd`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cloudapkd) is undocumented at the moment * [`dpapi::cloudapreg`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cloudapreg) dumps azure credentials by querying the following registry location * [`dpapi::cng`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cng) decrypts a given CNG private key file * [`dpapi::create`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/create) creates a DPAPI Masterkey file from raw key and metadata * [`dpapi::cred`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/cred) decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. [dumping DPAPI secrets](https://www.thehacker.recipes/ad-ds/movement/credentials/dumping/dpapi-protected-secrets)) * [`dpapi::credhist`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist) describes a Credhist file * [`dpapi::luna`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/luna) decrypts Safenet LunaHSM KSP * [`dpapi::masterkey`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/masterkey) describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directory * [`dpapi::protect`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/protect) protects data via a DPAPI call * [`dpapi::ps`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/ps) decrypts PowerShell credentials (PSCredentials or SecureString) * [`dpapi::rdg`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/rdg) decrypts Remote Desktop Gateway saved passwords * [`dpapi::sccm`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/sccm) is used to decrypt saved SCCM credentials * [`dpapi::ssh`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/ssh) extracts OpenSSH private keys * [`dpapi::tpm`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/tpm) decrypts TPM PCP key file ([Microsoft's TPM Platform Crypto Provider](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/setting-up-tpm-protected-certificates-using-a-microsoft/ba-p/1129055) (PCP)) * [`dpapi::vault`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/vault) decrypts DPAPI vault credentials from the [Credential Store](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) * [`dpapi::wifi`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/wifi) decrypts saved Wi-Fi passwords * [`dpapi::wwman`](https://tools.thehacker.recipes/mimikatz/modules/dpapi/wwan) decrypts Wwan credentials ### event * [`event::clear`](https://tools.thehacker.recipes/mimikatz/modules/event/clear) clears a specified event log * [`event::drop`](https://tools.thehacker.recipes/mimikatz/modules/event/drop) patches event services to avoid new events ( :warning: experimental) ### kerberos * [`kerberos::ask`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/ask) can be used to obtain Service Tickets. The Windows native command is [`klist get`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist) * [`kerberos::clist`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/clist) lists tickets in [MIT](https://web.mit.edu/kerberos/)/[Heimdall](https://github.com/heimdal/heimdal) ccache format. It can be useful with other tools (i.e. ones that support [Pass the Cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc)) * [`kerberos::golden`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/golden) can be used to [forge golden and silver tickets](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets). It can also be used for forging inter-realm trust keys * [`kerberos::hash`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/hash) computes the different types of Kerberos keys for a given password * [`kerberos::list`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/list) has a similar functionality to [`klist`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist) command without requiring elevated privileges. Unlike [`sekurlsa::tickets`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/tickets), this module does not interact with LSASS * [`kerberos::ptc`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/ptc) can be used to [pass the cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc). This is similar to [`kerberos::ptt`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/ptt.md) that does pass the ticket but is different in the sense that the ticket used is a `.ccache` ticket instead of a `.kirbi` one * [`kerberos::ptt`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/ptt) is used for [passing the ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket) * [`kerberos::purge`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/purge) purges all kerberos tickets similar to [`klist purge`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist) * [`kerberos::tgt`](https://tools.thehacker.recipes/mimikatz/modules/kerberos/tgt) retrieves a TGT (Ticket-Granting Ticket) for the current user ### lsadump * [`lsadump::backupkeys`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/backupkeys) dumps the DPAPI backup keys from the Domain Controller (cf. [dumping DPAPI secrets](https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets)) * [`lsadump::cache`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/cache) can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the `SysKey` to decrypt `NL$KM` (binary protected value) and then `MSCache(v1/v2)` * [`lsadump::changentlm`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/changentlm) can be used to change the password of a user * [`lsadump::dcshadow`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/dcshadow) TODO * [`lsadump::dcsync`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/dcsync) can be used to do a [DCSync](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync) and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol ([MS-DRSR](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN)) to request from a domain controller to synchronize a specified entry * [`lsadump::lsa`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/lsa) extracts hashes from memory by asking the LSA server. The `patch` or `inject` takes place on the fly * [`lsadump::mbc`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/mbc) dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates * [`lsadump::netsync`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/netsync) can be used to act as a Domain Controller on a target by doing a [Silver Ticket](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#silver-ticket). It then leverages the [Netlogon](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f) to request the RC4 key (i.e. NT hash) of the target computer account * [`lsadump::packages`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/packages) lists the available Windows authentication mechanisms * [`lsadump::postzerologon`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/postzerologon) is a procedure to update AD domain password and its local stored password remotely mimic `netdom resetpwd` * [`lsadump::RpData`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/rpdata) can retrieve private data (*at the time of writing, Nov 1st 2021, we have no idea what this does or refers to* :man\_shrugging:) * [`lsadump::sam`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/sam) dumps the local Security Account Manager (SAM) NT hashes (cf. [SAM secrets dump](https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets)) * [`lsadump::secrets`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/secrets) can be used to [dump LSA secrets](https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets) from the registries. It retrieves the `SysKey` to decrypt `Secrets` entries * [`lsadump::setntlm`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/setntlm) can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory [Access Control (ACL) abuse](https://www.thehacker.recipes/ad/movement/access-controls) scenario * [`lsadump::trust`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/trust) can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts * [`lsadump::zerologon`](https://tools.thehacker.recipes/mimikatz/modules/lsadump/zerologon) detects and exploits the [ZeroLogon](https://www.thehacker.recipes/ad/movement/netlogon/zerologon) vulnerability ### misc * [`misc::aadcookie`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/aadcookie.md) can be used to dump the Azure Panel's session cookie from `login.microsoftonline.com` * [`misc::clip`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/clip.md) monitors clipboard. `CTRL+C` stops the monitoring * [`misc::cmd`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/cmd.md) launches the command prompt * [`misc::compress`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/compress.md) performs a self compression of mimikatz * [`misc::detours`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/detours.md) is experimental and it tries to enumerate all modules with [Detours-like hooks](https://www.codeproject.com/Articles/30140/API-Hooking-with-MS-Detours) * [`misc::efs`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/efs.md) is Mimikatz's implementation of the [MS-EFSR abuse (PetitPotam)](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/ms-efsr), an authentication coercion technique * [`misc::lock`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/lock.md) locks the screen. It can come in handy with [`misc::memssp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/memssp.md) * [`misc::memssp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/memssp.md) patches LSASS by injecting a new Security Support Provider (a DLL is registered) * [`misc::mflt`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/mflt.md) identifies Windows minifilters inside mimikatz, without using **fltmc.exe**. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude) * [`misc::ncroutemon`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/ncroutemon.md) displays Juniper network connect (without route monitoring) * [`misc::ngcsign`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/ngcsign.md) can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key. * [`misc::printnightmare`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/printnightmare.md) can be used to exploit the [PrintNightMare](https://adamsvoboda.net/breaking-down-printnightmare-cve-2021-1675/) vulnerability in both \[[MS-RPRN RpcAddPrinterDriverEx](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b)] and \[[MS-PAR AddPrinterDriverEx](https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex)]. The bug was discovered by Zhiniang Peng ([@edwardzpeng](https://twitter.com/edwardzpeng?lang=en)) & Xuefeng Li ([@lxf02942370](https://twitter.com/lxf02942370?lang=en)) * [`misc::regedit`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/regedit.md) launches the registry editor * [`misc::sccm`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/sccm.md) decrypts the password field in the `SC_UserAccount` table in the SCCM database * [`misc::shadowcopies`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/shadowcopies.md) is used to list the available shadow copies on the system * [`misc::skeleton`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/skeleton.md) injects a "[Skeleton Key](https://www.thehacker.recipes/ad/persistence/skeleton-key)" into the LSASS process on the domain controller * [`misc::spooler`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/spooler.md) is Mimikat's implementation of the [MS-RPRN abuse (PrinterBug)](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/ms-rprn), an authentication coercion technique * [`misc::taskmgr`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/taskmgr.md) launches the task manager * [`misc::wp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/wp.md) sets up a wallpaper * [`misc::xor`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/xor.md) performs XOR decoding/encoding on a provided file with `0x42` default key ### net * [`net::alias`](https://tools.thehacker.recipes/mimikatz/modules/net/alias) displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etc * [`net::deleg`](https://tools.thehacker.recipes/mimikatz/modules/net/deleg) checks for the following types of [Kerberos delegations](https://www.thehacker.recipes/ad-ds/movement/kerberos/delegations) * [`net::group`](https://tools.thehacker.recipes/mimikatz/modules/net/group) displays the local groups * [`net::if`](https://tools.thehacker.recipes/mimikatz/modules/net/if) displays the available local IP addresses and the hostname * [`net::serverinfo`](https://tools.thehacker.recipes/mimikatz/modules/net/serverinfo) displays information about the logged in server * [`net::session`](https://tools.thehacker.recipes/mimikatz/modules/net/session) displays the active sessions through [NetSessionEnum()](https://web.archive.org/web/20201201223201/https://docs.microsoft.com/en-us/windows/win32/api/lmshare/nf-lmshare-netsessionenum) Win32 API function * [`net::share`](https://tools.thehacker.recipes/mimikatz/modules/net/share) displays the available shares * [`net::stats`](https://tools.thehacker.recipes/mimikatz/modules/net/stats) displays when the target was booted * [`net::tod`](https://tools.thehacker.recipes/mimikatz/modules/net/tod) displays the current time * [`net::trust`](https://tools.thehacker.recipes/mimikatz/modules/net/trust) displays information for the active directory forest trust(s) * [`net::user`](https://tools.thehacker.recipes/mimikatz/modules/net/user) displays the local users * [`net::wsession`](https://tools.thehacker.recipes/mimikatz/modules/net/wsession) displays the active sessions through [NetWkstaUserEnum()](https://web.archive.org/web/20190909155552/https://docs.microsoft.com/en-us/windows/win32/api/lmwksta/nf-lmwksta-netwkstauserenum) Win32 API function ### privilege * [`privilege::backup`](https://tools.thehacker.recipes/mimikatz/modules/privilege/backup) requests the backup privilege (`SeBackupPrivilege`) * [`privilege::debug`](https://tools.thehacker.recipes/mimikatz/modules/privilege/debug) requests the debug privilege (`SeDebugPrivilege`) * [`privilege::driver`](https://tools.thehacker.recipes/mimikatz/modules/privilege/driver) requests the load driver privilege (`SeLoadDriverPrivilege`) * [`privilege::id`](https://tools.thehacker.recipes/mimikatz/modules/privilege/id) requests a privilege by its `id` * [`privilege::name`](https://tools.thehacker.recipes/mimikatz/modules/privilege/name) requests a privilege by its name * [`privilege::restore`](https://tools.thehacker.recipes/mimikatz/modules/privilege/restore) requests the restore privilege (`SeRestorePrivilege`) * [`privilege::security`](https://tools.thehacker.recipes/mimikatz/modules/privilege/security) requests the security privilege (`SeSecurityPrivilege`) * [`privilege::sysenv`](https://tools.thehacker.recipes/mimikatz/modules/privilege/sysenv) requests the system environment privilege (`SeSystemEnvironmentPrivilege`) * [`privilege::tcb`](https://tools.thehacker.recipes/mimikatz/modules/privilege/tcb) requests the tcb privilege (`SeTcbPrivilege`) ### process * [`process::exports`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/exports.md) lists all the exported functions from the DLLs each running process is using. If a\*\* \*\*`/pid` is not specified, then exports for `mimikatz.exe` will be displayed * [`process::imports`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/imports.md) lists all the imported functions from the DLLs each running process is using. If a\*\* \*\*`/pid` is not specified, then imports for `mimikatz.exe` will be displayed * [`process::list`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/list.md) lists all the running processes. It uses the [NtQuerySystemInformation](https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation) Windows Native API function * [`process::resume`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/resume.md) resumes a suspended process by using the [NtResumeProcess](https://www.geoffchappell.com/studies/windows/win32/ntdll/api/native.htm) Windows Native API function * [`process::run`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/run.md) creates a process by using the [CreateProcessAsUser](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera) Win32 API function. The [CreateEnvironmentBlock](https://docs.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-createenvironmentblock) is also utilized * [`process::runp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/runp.md) runs a subprocess under a parent process (Default parent process is `LSASS.exe`). It can also be used for lateral movement and process spoofing * [`process::start`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/start.md) starts a process by using the [CreateProcess](https://web.archive.org/web/20170713150625/https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425.aspx) Win32 API function. The `PID` of the process is also displayed * [`process::stop`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/stop.md) terminates a process by using the [NtTerminateProcess](https://www.geoffchappell.com/studies/windows/win32/ntdll/api/native.htm) Windows Native API function. The Win32 API equal one is [TerminateProcess](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess) * [`process::suspend`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/suspend.md) suspends a process by using the [NtSuspendProcess](https://ntopcode.wordpress.com/tag/ntsuspendprocess/) Windows Native API function ### rpc * [`rpc::close`](https://tools.thehacker.recipes/mimikatz/modules/rpc/close) closes remote RPC sessions * [`rpc::connect`](https://tools.thehacker.recipes/mimikatz/modules/rpc/connect) connects to an RPC endpoint * [`rpc::enum`](https://tools.thehacker.recipes/mimikatz/modules/rpc/enum) enumerates RPC endpoints on a system * [`rpc::server`](https://tools.thehacker.recipes/mimikatz/modules/rpc/server) starts an RPC server ### sekurlsa * [`sekurlsa::backupkeys`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/backupkeys) lists the preferred Backup Master keys * [`sekurlsa::bootkey`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/bootkey) sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentials * [`sekurlsa::cloudap`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/cloudap) lists Azure (Primary Refresh Token) credentials based on the following research: [Digging further into the Primary Refresh Token](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/). [According to Benjamin](https://twitter.com/gentilkiwi/status/1291102498099527682?s=20): * [`sekurlsa::credman`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/credman) lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL ([lsasrv.dll](https://windows10dll.nirsoft.net/lsasrv_dll.html)) * [`sekurlsa::dpapi`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/dpapi) lists DPAPI cached masterkeys * [`sekurlsa::dpapisystem`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/dpapisystem) lists the `DPAPI_SYSTEM` secret key * [`sekurlsa::ekeys`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/ekeys) lists Kerberos encryption keys * [`sekurlsa::kerberos`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/kerberos) lists Kerberos credentials * [`sekurlsa::krbtgt`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/krbtgt) retrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashes * [`sekurlsa::livessp`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/livessp) lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistant * [`sekurlsa::logonpasswords`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/logonpasswords) lists all available provider credentials. This usually shows recently logged on user and computer credentials * [`sekurlsa::minidump`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/minidump) can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dump * [`sekurlsa::msv`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/msv) dumps and lists the NT hash (and other secrets) by targeting the [MSV1\_0 Authentication Package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package) * [`sekurlsa::process`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/process) switches (or reinits) to LSASS process context. It can be used after [`sekurlsa::minidump`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/minidump.md) * [`sekurlsa::pth`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/pth) performs [Pass-the-Hash](https://www.thehacker.recipes/ad/movement/ntlm/pth), [Pass-the-Key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) and [Over-Pass-the-Hash](https://www.thehacker.recipes/ad/movement/kerberos/opth). Upon successful authentication, a program is run (n.b. defaulted to `cme.exe`) * [`sekurlsa::ssp`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/ssp) lists [Security Support Provider](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture) (SSP) credentials * [`sekurlsa::tickets`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/tickets) lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike [`kerberos::list`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/process/list.md), sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users) * [`sekurlsa::trust`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/trust) retrieves the forest trust keys * [`sekurlsa::tspkg`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/tspkg) lists TsPkg credentials. This credentials provider is used for Terminal Server Authentication * [`sekurlsa::wdigest`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/wdigest) lists WDigest credentials. According to Microsoft, [WDigest.dll](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778868\(v%3dws.10\)) was introduced in the Windows XP operating system ### service * [`service::-`](https://tools.thehacker.recipes/mimikatz/modules/service/undefined) removes the `mimikatzsvc` service * [`service::+`](https://tools.thehacker.recipes/mimikatz/modules/service/+) installs the `mimikatzsvc` service by issuing `rpc::server service::me exit` * [`service::preshutdown`](https://tools.thehacker.recipes/mimikatz/modules/service/preshutdown) pre-shuts down a specified service by sending a `SERVICE_CONTROL_PRESHUTDOWN` signal * [`service::remove`](https://tools.thehacker.recipes/mimikatz/modules/service/remove) removes the specified service (It must be used with caution) * [`service::resume`](https://tools.thehacker.recipes/mimikatz/modules/service/resume) resumes a specified service, after successful suspending, by sending a `SERVICE_CONTROL_CONTINUE` signal * [`service::shutdown`](https://tools.thehacker.recipes/mimikatz/modules/service/shutdown) shuts down a specified service by sending a `SERVICE_CONTROL_SHUTDOWN` signal * [`service::start`](https://tools.thehacker.recipes/mimikatz/modules/service/start) starts a service * [`service::stop`](https://tools.thehacker.recipes/mimikatz/modules/service/stop) stops a specified service by sending a `SERVICE_CONTROL_STOP` signal * [`service::suspend`](https://tools.thehacker.recipes/mimikatz/modules/service/suspend) suspends the specified service. It sends a `SERVICE_CONTROL_PAUSE` signal ### sid * [`sid::add`](https://tools.thehacker.recipes/mimikatz/modules/sid/add) adds a SID to `sIDHistory` of an object * [`sid::clear`](https://tools.thehacker.recipes/mimikatz/modules/sid/clear) clears the `sIDHistory` of a target object * [`sid::lookup`](https://tools.thehacker.recipes/mimikatz/modules/sid/lookup) looks up an object by its SID or name * [`sid::modify`](https://tools.thehacker.recipes/mimikatz/modules/sid/modify) modifies an object's SID * [`sid::patch`](https://tools.thehacker.recipes/mimikatz/modules/sid/patch) patchs the NTDS (NT Directory Services). It's useful when running [`id::modify`](https://tools.thehacker.recipes/mimikatz/modules/sid/modify) or [`sid::add`](https://tools.thehacker.recipes/mimikatz/modules/sid/add) * [`sid::query`](https://tools.thehacker.recipes/mimikatz/modules/sid/query) queries an object by its SID or name ### standard * [`standard::answer`](https://tools.thehacker.recipes/mimikatz/modules/standard/answer) or `answer` provides an answer to [The Ultimate Question of Life, the Universe, and Everything!](https://hitchhikers.fandom.com/wiki/Ultimate_Question) :stars: * [`standard::base64`](https://tools.thehacker.recipes/mimikatz/modules/standard/base64) or `base64` switches file input/output to base64 * [`standard::cd`](https://tools.thehacker.recipes/mimikatz/modules/standard/cd) or `cd` can change or display the current directory. The changed directory is used for saving files * [`standard::cls`](https://tools.thehacker.recipes/mimikatz/modules/standard/cls) or `cls` clears the screen * [`standard::coffee`](https://tools.thehacker.recipes/mimikatz/modules/standard/coffee) or `coffee` is the most important command of all * [`standard::exit`](https://tools.thehacker.recipes/mimikatz/modules/standard/exit) or `exit` quits Mimikatz after clearing routines * [`standard::hostname`](https://tools.thehacker.recipes/mimikatz/modules/standard/hostname) or `hostname` displays system local hostname * [`standard::localtime`](https://tools.thehacker.recipes/mimikatz/modules/standard/localtime) or `localtime` displays system local date and time * [`standard::log`](https://tools.thehacker.recipes/mimikatz/modules/standard/log) or `log` logs mimikatz input/output to a file * [`standard::sleep`](https://tools.thehacker.recipes/mimikatz/modules/standard/sleep) or `sleep` make Mimikatz sleep an amount of milliseconds * [`standard::version`](https://tools.thehacker.recipes/mimikatz/modules/standard/version) or `version` displays the version in use of Mimikatz ### token * [`token::elevate`](https://tools.thehacker.recipes/mimikatz/modules/token/elevate) can be used to impersonate a token. By default it will elevate permissions to `NT AUTHORITY\SYSTEM` * [`token::list`](https://tools.thehacker.recipes/mimikatz/modules/token/list) lists all tokens on the system * [`token::revert`](https://tools.thehacker.recipes/mimikatz/modules/token/revert) reverts to the previous token * [`token::run`](https://tools.thehacker.recipes/mimikatz/modules/token/run) executes a process with its token * [`token::whoami`](https://tools.thehacker.recipes/mimikatz/modules/token/whoami) displays the current token ### ts * [`ts::logonpasswords`](https://tools.thehacker.recipes/mimikatz/modules/ts/logonpasswords) extracts clear text credentials from RDP running sessions (server side) * [`ts::mstsc`](https://tools.thehacker.recipes/mimikatz/modules/ts/mstsc) extracts cleartext credentials from the mstsc process (client side) * [`ts::multirdp`](https://tools.thehacker.recipes/mimikatz/modules/ts/multirdp) enables multiple RDP connections on the target server * [`ts::remote`](https://tools.thehacker.recipes/mimikatz/modules/ts/remote) performs RDP takeover/hijacking of active sessions * [`ts::sessions`](https://tools.thehacker.recipes/mimikatz/modules/ts/sessions) lists the current RDP sessions. It comes in handy for RDP hijacking ### vault * [`vault::cred`](https://tools.thehacker.recipes/mimikatz/modules/vault/cred) enumerates vault credentials * [`vault::list`](https://tools.thehacker.recipes/mimikatz/modules/vault/list) lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user