• crypto: This modules deals with the Microsoft Crypto Magic world.

  • dpapi: The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials.

  • event: this module deals with the Windows Event logs (to clear footprints after compromise).

  • kerberos: This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules.

  • lsadump: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.

  • misc: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.

  • net: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.

  • privilege: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.

  • process: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.

  • rpc: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.

  • sekurlsa: The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than sekurlsa::logonpasswords. Hope we made some effort on this Benjamin.

  • service: This module can interact with Windows services plus installing the mimikatzsvc service.

  • sid: This module deals with the Security Identifier.

  • standard: This module contains some general functionalities which are not related to exploitation.

  • token: This module deals with the Windows tokens (who does not really like elevating to NT AUTHORITY\ SYSTEM).

  • ts: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.

  • vault: This module dumps passwords saved in the Windows Vault.



  • crypto::capi patches CryptoAPI layer for easy export (Experimental ⚠️)

  • crypto::certificates lists or exports certificates

  • crypto::certtohw tries to export a software CA to a crypto (virtual) hardware

  • crypto::cng patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental ⚠️)

  • crypto::extract extracts keys from the CAPI RSA/AES provider (Experimental ⚠️)

  • crypto::hash hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value

  • crypto::keys lists or exports key containers

  • crypto::providers lists cryptographic providers

  • crypto::sc lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard

  • crypto::scauth it creates a authentication certificate (smartcard like) from a CA

  • crypto::stores lists cryptographic stores

  • crypto::system it describes a Windows System Certificate

  • crypto::tpminfo displays information for the Microsoft's TPM Platform Crypto Provider



  • event::clear clears a specified event log

  • event::drop patches event services to avoid new events ( ⚠️ experimental)



  • lsadump::backupkeys dumps the DPAPI backup keys from the Domain Controller (cf. dumping DPAPI secrets)

  • lsadump::cache can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2)

  • lsadump::changentlm can be used to change the password of a user

  • lsadump::dcsync can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entry

  • lsadump::lsa extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly

  • lsadump::mbc dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates

  • lsadump::netsync can be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer account

  • lsadump::packages lists the available Windows authentication mechanisms

  • lsadump::postzerologon is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwd

  • lsadump::RpData can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to 🤷‍♂️)

  • lsadump::sam dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump)

  • lsadump::secrets can be used to dump LSA secrets from the registries. It retrieves the SysKey to decrypt Secrets entries

  • lsadump::setntlm can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenario

  • lsadump::trust can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts

  • lsadump::zerologon detects and exploits the ZeroLogon vulnerability








  • service::- removes the mimikatzsvc service

  • service::+ installs the mimikatzsvc service by issuing rpc::server service::me exit

  • service::preshutdown pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN signal

  • service::remove removes the specified service (It must be used with caution)

  • service::resume resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE signal

  • service::shutdown shuts down a specified service by sending a SERVICE_CONTROL_SHUTDOWN signal

  • service::start starts a service

  • service::stop stops a specified service by sending a SERVICE_CONTROL_STOP signal

  • service::suspend suspends the specified service. It sends a SERVICE_CONTROL_PAUSE signal





  • ts::logonpasswords extracts clear text credentials from RDP running sessions (server side)

  • ts::mstsc extracts cleartext credentials from the mstsc process (client side)

  • ts::multirdp enables multiple RDP connections on the target server

  • ts::remote performs RDP takeover/hijacking of active sessions

  • ts::sessions lists the current RDP sessions. It comes in handy for RDP hijacking


  • vault::cred enumerates vault credentials

  • vault::list lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user

Last updated