Modules

patches CryptoAPI layer for easy export (Experimental )

lists or exports certificates

tries to export a software CA to a crypto (virtual) hardware

patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental )

extracts keys from the CAPI RSA/AES provider (Experimental )

hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value

lists or exports key containers

lists cryptographic providers

lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard

it creates a authentication certificate (smartcard like) from a CA

lists cryptographic stores

it describes a Windows System Certificate

displays information for the Microsoft's TPM Platform Crypto Provider

describes a DPAPI blob and unprotects/decrypts it with API or Masterkey

displays the credential cache of the DPAPI module

decrypts a CryptoAPI private key file

dumps stored credentials and cookies from Chrome

is undocumented at the moment

dumps azure credentials by querying the following registry location

decrypts a given CNG private key file

creates a DPAPI Masterkey file from raw key and metadata

decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. )

describes a Credhist file

decrypts Safenet LunaHSM KSP

describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directory

protects data via a DPAPI call

decrypts PowerShell credentials (PSCredentials or SecureString)

decrypts Remote Desktop Gateway saved passwords

is used to decrypt saved SCCM credentials

extracts OpenSSH private keys

decrypts TPM PCP key file ( (PCP))

decrypts DPAPI vault credentials from the

decrypts saved Wi-Fi passwords

decrypts Wwan credentials

clears a specified event log

patches event services to avoid new events ( experimental)

can be used to obtain Service Tickets. The Windows native command is

lists tickets in / ccache format. It can be useful with other tools (i.e. ones that support )

can be used to . It can also be used for forging inter-realm trust keys

computes the different types of Kerberos keys for a given password

has a similar functionality to command without requiring elevated privileges. Unlike , this module does not interact with LSASS

can be used to . This is similar to that does pass the ticket but is different in the sense that the ticket used is a .ccache ticket instead of a .kirbi one

is used for by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket)

purges all kerberos tickets similar to

retrieves a TGT (Ticket-Granting Ticket) for the current user

dumps the DPAPI backup keys from the Domain Controller (cf. )

can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL$KM (binary protected value) and then MSCache(v1/v2)

can be used to change the password of a user

TODO

can be used to do a and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol () to request from a domain controller to synchronize a specified entry

extracts hashes from memory by asking the LSA server. The patch or inject takes place on the fly

dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates

can be used to act as a Domain Controller on a target by doing a . It then leverages the to request the RC4 key (i.e. NT hash) of the target computer account

lists the available Windows authentication mechanisms

is a procedure to update AD domain password and its local stored password remotely mimic netdom resetpwd

can retrieve private data (at the time of writing, Nov 1st 2021, we have no idea what this does or refers to )

dumps the local Security Account Manager (SAM) NT hashes (cf. )

can be used to from the registries. It retrieves the SysKey to decrypt Secrets entries

can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory scenario

can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts

detects and exploits the vulnerability

can be used to dump the Azure Panel's session cookie from login.microsoftonline.com

monitors clipboard. CTRL+C stops the monitoring

launches the command prompt

performs a self compression of mimikatz

is experimental and it tries to enumerate all modules with

is Mimikatz's implementation of the , an authentication coercion technique

locks the screen. It can come in handy with

patches LSASS by injecting a new Security Support Provider (a DLL is registered)

identifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude)

displays Juniper network connect (without route monitoring)

can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key.

can be used to exploit the vulnerability in both [] and []. The bug was discovered by Zhiniang Peng () & Xuefeng Li ()

launches the registry editor

decrypts the password field in the SC_UserAccount table in the SCCM database

is used to list the available shadow copies on the system

injects a "" into the LSASS process on the domain controller

is Mimikat's implementation of the , an authentication coercion technique

launches the task manager

sets up a wallpaper

performs XOR decoding/encoding on a provided file with 0x42 default key

displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etc

checks for the following types of

displays the local groups

displays the available local IP addresses and the hostname

displays information about the logged in server

displays the active sessions through Win32 API function

displays the available shares

displays when the target was booted

displays the current time

displays information for the active directory forest trust(s)

displays the local users

displays the active sessions through Win32 API function

requests the backup privilege (SeBackupPrivilege)

requests the debug privilege (SeDebugPrivilege)

requests the load driver privilege (SeLoadDriverPrivilege)

requests a privilege by its id

requests a privilege by its name

requests the restore privilege (SeRestorePrivilege)

requests the security privilege (SeSecurityPrivilege)

requests the system environment privilege (SeSystemEnvironmentPrivilege)

requests the tcb privilege (SeTcbPrivilege)

lists all the exported functions from the DLLs each running process is using. If a** **/pid is not specified, then exports for mimikatz.exe will be displayed

lists all the imported functions from the DLLs each running process is using. If a** **/pid is not specified, then imports for mimikatz.exe will be displayed

lists all the running processes. It uses the Windows Native API function

resumes a suspended process by using the Windows Native API function

creates a process by using the Win32 API function. The is also utilized

runs a subprocess under a parent process (Default parent process is LSASS.exe). It can also be used for lateral movement and process spoofing

starts a process by using the Win32 API function. The PID of the process is also displayed

terminates a process by using the Windows Native API function. The Win32 API equal one is

suspends a process by using the Windows Native API function

closes remote RPC sessions

connects to an RPC endpoint

enumerates RPC endpoints on a system

starts an RPC server

lists the preferred Backup Master keys

sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentials

lists Azure (Primary Refresh Token) credentials based on the following research: . :

lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL ()

lists DPAPI cached masterkeys

lists the DPAPI_SYSTEM secret key

lists Kerberos encryption keys

lists Kerberos credentials

retrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashes

lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistant

lists all available provider credentials. This usually shows recently logged on user and computer credentials

can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dump

dumps and lists the NT hash (and other secrets) by targeting the

switches (or reinits) to LSASS process context. It can be used after

performs , and . Upon successful authentication, a program is run (n.b. defaulted to cme.exe)

lists (SSP) credentials

lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike , sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users)

retrieves the forest trust keys

lists TsPkg credentials. This credentials provider is used for Terminal Server Authentication

lists WDigest credentials. According to Microsoft, was introduced in the Windows XP operating system

removes the mimikatzsvc service

installs the mimikatzsvc service by issuing rpc::server service::me exit

pre-shuts down a specified service by sending a SERVICE_CONTROL_PRESHUTDOWN signal

removes the specified service (It must be used with caution)

resumes a specified service, after successful suspending, by sending a SERVICE_CONTROL_CONTINUE signal

shuts down a specified service by sending a SERVICE_CONTROL_SHUTDOWN signal

starts a service

stops a specified service by sending a SERVICE_CONTROL_STOP signal

suspends the specified service. It sends a SERVICE_CONTROL_PAUSE signal

adds a SID to sIDHistory of an object

clears the sIDHistory of a target object

looks up an object by its SID or name

modifies an object's SID

patchs the NTDS (NT Directory Services). It's useful when running or

queries an object by its SID or name

or answer provides an answer to

or base64 switches file input/output to base64

or cd can change or display the current directory. The changed directory is used for saving files

or cls clears the screen

or coffee is the most important command of all

or exit quits Mimikatz after clearing routines

or hostname displays system local hostname

or localtime displays system local date and time

or log logs mimikatz input/output to a file

or sleep make Mimikatz sleep an amount of milliseconds

or version displays the version in use of Mimikatz

can be used to impersonate a token. By default it will elevate permissions to NT AUTHORITY\SYSTEM

lists all tokens on the system

reverts to the previous token

executes a process with its token

displays the current token

extracts clear text credentials from RDP running sessions (server side)

extracts cleartext credentials from the mstsc process (client side)

enables multiple RDP connections on the target server

performs RDP takeover/hijacking of active sessions

lists the current RDP sessions. It comes in handy for RDP hijacking

enumerates vault credentials

lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user