Modules
Modules
crypto
: This modules deals with the Microsoft Crypto Magic world.dpapi
: The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials.event
: this module deals with the Windows Event logs (to clear footprints after compromise).kerberos
: This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules.lsadump
: this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets.misc
: The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others.net
: some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included.privilege
: This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS.process
: This module deal with Windows processes. It can also be used for process injection and parent process spoofing.rpc
: The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely.sekurlsa
: The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more thansekurlsa::logonpasswords
. Hope we made some effort on this Benjamin.service
: This module can interact with Windows services plus installing themimikatzsvc
service.sid
: This module deals with the Security Identifier.standard
: This module contains some general functionalities which are not related to exploitation.token
: This module deals with the Windows tokens (who does not really like elevating toNT AUTHORITY\ SYSTEM
).ts
: This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords.vault
: This module dumps passwords saved in the Windows Vault.
Commands
crypto
crypto::certificates
lists or exports certificatescrypto::certtohw
tries to export a software CA to a crypto (virtual) hardwarecrypto::hash
hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional valuecrypto::keys
lists or exports key containerscrypto::providers
lists cryptographic providerscrypto::sc
lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcardcrypto::scauth
it creates a authentication certificate (smartcard like) from a CAcrypto::stores
lists cryptographic storescrypto::system
it describes a Windows System Certificatecrypto::tpminfo
displays information for the Microsoft's TPM Platform Crypto Provider
dpapi
dpapi::blob
describes a DPAPI blob and unprotects/decrypts it with API or Masterkeydpapi::cache
displays the credential cache of the DPAPI moduledpapi::capi
decrypts a CryptoAPI private key filedpapi::chrome
dumps stored credentials and cookies from Chromedpapi::cloudapkd
is undocumented at the momentdpapi::cloudapreg
dumps azure credentials by querying the following registry locationdpapi::cng
decrypts a given CNG private key filedpapi::create
creates a DPAPI Masterkey file from raw key and metadatadpapi::cred
decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. dumping DPAPI secrets)dpapi::credhist
describes a Credhist filedpapi::luna
decrypts Safenet LunaHSM KSPdpapi::masterkey
describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directorydpapi::protect
protects data via a DPAPI calldpapi::ps
decrypts PowerShell credentials (PSCredentials or SecureString)dpapi::rdg
decrypts Remote Desktop Gateway saved passwordsdpapi::sccm
is used to decrypt saved SCCM credentialsdpapi::ssh
extracts OpenSSH private keysdpapi::tpm
decrypts TPM PCP key file (Microsoft's TPM Platform Crypto Provider (PCP))dpapi::vault
decrypts DPAPI vault credentials from the Credential Storedpapi::wifi
decrypts saved Wi-Fi passwordsdpapi::wwman
decrypts Wwan credentials
event
event::clear
clears a specified event log
kerberos
kerberos::ask
can be used to obtain Service Tickets. The Windows native command isklist get
kerberos::clist
lists tickets in MIT/Heimdall ccache format. It can be useful with other tools (i.e. ones that support Pass the Cache)kerberos::golden
can be used to forge golden and silver tickets. It can also be used for forging inter-realm trust keyskerberos::hash
computes the different types of Kerberos keys for a given passwordkerberos::list
has a similar functionality toklist
command without requiring elevated privileges. Unlikesekurlsa::tickets
, this module does not interact with LSASSkerberos::ptc
can be used to pass the cache. This is similar tokerberos::ptt
that does pass the ticket but is different in the sense that the ticket used is a.ccache
ticket instead of a.kirbi
onekerberos::ptt
is used for passing the ticket by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket)kerberos::purge
purges all kerberos tickets similar toklist purge
kerberos::tgt
retrieves a TGT (Ticket-Granting Ticket) for the current user
lsadump
lsadump::backupkeys
dumps the DPAPI backup keys from the Domain Controller (cf. dumping DPAPI secrets)lsadump::cache
can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring theSysKey
to decryptNL$KM
(binary protected value) and thenMSCache(v1/v2)
lsadump::changentlm
can be used to change the password of a userlsadump::dcshadow
TODOlsadump::dcsync
can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entrylsadump::lsa
extracts hashes from memory by asking the LSA server. Thepatch
orinject
takes place on the flylsadump::mbc
dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificateslsadump::netsync
can be used to act as a Domain Controller on a target by doing a Silver Ticket. It then leverages the Netlogon to request the RC4 key (i.e. NT hash) of the target computer accountlsadump::packages
lists the available Windows authentication mechanismslsadump::postzerologon
is a procedure to update AD domain password and its local stored password remotely mimicnetdom resetpwd
lsadump::sam
dumps the local Security Account Manager (SAM) NT hashes (cf. SAM secrets dump)lsadump::secrets
can be used to dump LSA secrets from the registries. It retrieves theSysKey
to decryptSecrets
entrieslsadump::setntlm
can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenariolsadump::trust
can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trustslsadump::zerologon
detects and exploits the ZeroLogon vulnerability
misc
misc::aadcookie
can be used to dump the Azure Panel's session cookie fromlogin.microsoftonline.com
misc::clip
monitors clipboard.CTRL+C
stops the monitoringmisc::cmd
launches the command promptmisc::compress
performs a self compression of mimikatzmisc::detours
is experimental and it tries to enumerate all modules with Detours-like hooksmisc::efs
is Mimikatz's implementation of the MS-EFSR abuse (PetitPotam), an authentication coercion techniquemisc::lock
locks the screen. It can come in handy withmisc::memssp
misc::memssp
patches LSASS by injecting a new Security Support Provider (a DLL is registered)misc::mflt
identifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude)misc::ncroutemon
displays Juniper network connect (without route monitoring)misc::ngcsign
can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key.misc::printnightmare
can be used to exploit the PrintNightMare vulnerability in both [MS-RPRN RpcAddPrinterDriverEx] and [MS-PAR AddPrinterDriverEx]. The bug was discovered by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370)misc::regedit
launches the registry editormisc::sccm
decrypts the password field in theSC_UserAccount
table in the SCCM databasemisc::shadowcopies
is used to list the available shadow copies on the systemmisc::skeleton
injects a "Skeleton Key" into the LSASS process on the domain controllermisc::spooler
is Mimikat's implementation of the MS-RPRN abuse (PrinterBug), an authentication coercion techniquemisc::taskmgr
launches the task managermisc::wp
sets up a wallpapermisc::xor
performs XOR decoding/encoding on a provided file with0x42
default key
net
net::alias
displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etcnet::deleg
checks for the following types of Kerberos delegationsnet::group
displays the local groupsnet::if
displays the available local IP addresses and the hostnamenet::serverinfo
displays information about the logged in servernet::session
displays the active sessions through NetSessionEnum() Win32 API functionnet::share
displays the available sharesnet::stats
displays when the target was bootednet::tod
displays the current timenet::trust
displays information for the active directory forest trust(s)net::user
displays the local usersnet::wsession
displays the active sessions through NetWkstaUserEnum() Win32 API function
privilege
privilege::backup
requests the backup privilege (SeBackupPrivilege
)privilege::debug
requests the debug privilege (SeDebugPrivilege
)privilege::driver
requests the load driver privilege (SeLoadDriverPrivilege
)privilege::id
requests a privilege by itsid
privilege::name
requests a privilege by its nameprivilege::restore
requests the restore privilege (SeRestorePrivilege
)privilege::security
requests the security privilege (SeSecurityPrivilege
)privilege::sysenv
requests the system environment privilege (SeSystemEnvironmentPrivilege
)privilege::tcb
requests the tcb privilege (SeTcbPrivilege
)
process
process::exports
lists all the exported functions from the DLLs each running process is using. If a** **/pid
is not specified, then exports formimikatz.exe
will be displayedprocess::imports
lists all the imported functions from the DLLs each running process is using. If a** **/pid
is not specified, then imports formimikatz.exe
will be displayedprocess::list
lists all the running processes. It uses the NtQuerySystemInformation Windows Native API functionprocess::resume
resumes a suspended process by using the NtResumeProcess Windows Native API functionprocess::run
creates a process by using the CreateProcessAsUser Win32 API function. The CreateEnvironmentBlock is also utilizedprocess::runp
runs a subprocess under a parent process (Default parent process isLSASS.exe
). It can also be used for lateral movement and process spoofingprocess::start
starts a process by using the CreateProcess Win32 API function. ThePID
of the process is also displayedprocess::stop
terminates a process by using the NtTerminateProcess Windows Native API function. The Win32 API equal one is TerminateProcessprocess::suspend
suspends a process by using the NtSuspendProcess Windows Native API function
rpc
rpc::close
closes remote RPC sessionsrpc::connect
connects to an RPC endpointrpc::enum
enumerates RPC endpoints on a systemrpc::server
starts an RPC server
sekurlsa
sekurlsa::backupkeys
lists the preferred Backup Master keyssekurlsa::bootkey
sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentialssekurlsa::cloudap
lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:sekurlsa::credman
lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL (lsasrv.dll)sekurlsa::dpapi
lists DPAPI cached masterkeyssekurlsa::dpapisystem
lists theDPAPI_SYSTEM
secret keysekurlsa::ekeys
lists Kerberos encryption keyssekurlsa::kerberos
lists Kerberos credentialssekurlsa::krbtgt
retrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashessekurlsa::livessp
lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistantsekurlsa::logonpasswords
lists all available provider credentials. This usually shows recently logged on user and computer credentialssekurlsa::minidump
can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dumpsekurlsa::msv
dumps and lists the NT hash (and other secrets) by targeting the MSV1_0 Authentication Packagesekurlsa::process
switches (or reinits) to LSASS process context. It can be used aftersekurlsa::minidump
sekurlsa::pth
performs Pass-the-Hash, Pass-the-Key and Over-Pass-the-Hash. Upon successful authentication, a program is run (n.b. defaulted tocme.exe
)sekurlsa::ssp
lists Security Support Provider (SSP) credentialssekurlsa::tickets
lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlikekerberos::list
, sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users)sekurlsa::trust
retrieves the forest trust keyssekurlsa::tspkg
lists TsPkg credentials. This credentials provider is used for Terminal Server Authenticationsekurlsa::wdigest
lists WDigest credentials. According to Microsoft, WDigest.dll was introduced in the Windows XP operating system
service
service::-
removes themimikatzsvc
serviceservice::+
installs themimikatzsvc
service by issuingrpc::server service::me exit
service::preshutdown
pre-shuts down a specified service by sending aSERVICE_CONTROL_PRESHUTDOWN
signalservice::remove
removes the specified service (It must be used with caution)service::resume
resumes a specified service, after successful suspending, by sending aSERVICE_CONTROL_CONTINUE
signalservice::shutdown
shuts down a specified service by sending aSERVICE_CONTROL_SHUTDOWN
signalservice::start
starts a serviceservice::stop
stops a specified service by sending aSERVICE_CONTROL_STOP
signalservice::suspend
suspends the specified service. It sends aSERVICE_CONTROL_PAUSE
signal
sid
sid::add
adds a SID tosIDHistory
of an objectsid::clear
clears thesIDHistory
of a target objectsid::lookup
looks up an object by its SID or namesid::modify
modifies an object's SIDsid::patch
patchs the NTDS (NT Directory Services). It's useful when runningid::modify
orsid::add
sid::query
queries an object by its SID or name
standard
standard::base64
orbase64
switches file input/output to base64standard::cd
orcd
can change or display the current directory. The changed directory is used for saving filesstandard::cls
orcls
clears the screenstandard::coffee
orcoffee
is the most important command of allstandard::exit
orexit
quits Mimikatz after clearing routinesstandard::hostname
orhostname
displays system local hostnamestandard::localtime
orlocaltime
displays system local date and timestandard::log
orlog
logs mimikatz input/output to a filestandard::sleep
orsleep
make Mimikatz sleep an amount of millisecondsstandard::version
orversion
displays the version in use of Mimikatz
token
token::elevate
can be used to impersonate a token. By default it will elevate permissions toNT AUTHORITY\SYSTEM
token::list
lists all tokens on the systemtoken::revert
reverts to the previous tokentoken::run
executes a process with its tokentoken::whoami
displays the current token
ts
ts::logonpasswords
extracts clear text credentials from RDP running sessions (server side)ts::mstsc
extracts cleartext credentials from the mstsc process (client side)ts::multirdp
enables multiple RDP connections on the target serverts::remote
performs RDP takeover/hijacking of active sessionsts::sessions
lists the current RDP sessions. It comes in handy for RDP hijacking
vault
vault::cred
enumerates vault credentialsvault::list
lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user
Last updated