# Modules ## Modules * [`crypto`](#crypto): This modules deals with the Microsoft Crypto Magic world. * [`dpapi`](#dpapi): The Data Protection Application Programming Interface module. Consider this as an opsec safe option (for now) for getting credentials. * [`event`](#event): this module deals with the Windows Event logs (to clear footprints after compromise). * [`kerberos`](#kerberos): This module deals with the Greek Mythology's three headed Hades dog without the help of Hercules. * [`lsadump`](#lsadump): this module contains some well known functionalities of Mimikatz such as DCSync, DCShadow, dumping of SAM and LSA Secrets. * [`misc`](#misc): The miscellaneous module contains functionalities such as PetitPotam, PrintNightmare RPC Print Spooler and others. * [`net`](#net): some functionalities in this module are similar to the Windows **net** commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included. * [`privilege`](#privilege): This module deals with the Windows privileges. It includes the favorite debug privilege which holds the keys to LSASS. * [`process`](#process): This module deal with Windows processes. It can also be used for process injection and parent process spoofing. * [`rpc`](#rpc): The Remote Procedure Call module of Mimikatz. It can also be used for controlling Mimikatz remotely. * [`sekurlsa`](#sekurlsa): The most beloved module of Mimikatz. Even Benjamin has mentioned in the past that one day people will discover that Mimikatz is more than [`sekurlsa::logonpasswords`](/mimikatz/modules/sekurlsa/logonpasswords.md). Hope we made some effort on this Benjamin. * [`service`](#service): This module can interact with Windows services plus installing the `mimikatzsvc` service. * [`sid`](#sid): This module deals with the Security Identifier. * [`standard`](#standard): This module contains some general functionalities which are not related to exploitation. * [`token`](#token): This module deals with the Windows tokens (who does not really like elevating to `NT AUTHORITY\ SYSTEM`). * [`ts`](#ts): This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords. * [`vault`](#vault): This module dumps passwords saved in the Windows Vault. ## Commands ### crypto * [`crypto::capi`](/mimikatz/modules/crypto/capi.md) patches CryptoAPI layer for easy export (Experimental :warning:) * [`crypto::certificates`](/mimikatz/modules/crypto/certificates.md) lists or exports certificates * [`crypto::certtohw`](/mimikatz/modules/crypto/certtohw.md) tries to export a software CA to a crypto (virtual) hardware * [`crypto::cng`](/mimikatz/modules/crypto/cng.md) patches the CNG (Cryptography API: Next Generation) service for easy export (Experimental :warning:) * [`crypto::extract`](/mimikatz/modules/crypto/extract.md) extracts keys from the CAPI RSA/AES provider (Experimental :warning:) * [`crypto::hash`](/mimikatz/modules/crypto/hash.md) hashes a password in the main formats (NT, DCC1, DCC2, LM, MD5, SHA1, SHA2) with the username being an optional value * [`crypto::keys`](/mimikatz/modules/crypto/keys.md) lists or exports key containers * [`crypto::providers`](/mimikatz/modules/crypto/providers.md) lists cryptographic providers * [`crypto::sc`](/mimikatz/modules/crypto/sc.md) lists smartcard/token reader(s) on, or deported to, the system. When the CSP (Cryptographic Service Provider) is available, it tries to list keys on the smartcard * [`crypto::scauth`](/mimikatz/modules/crypto/scauth.md) it creates a authentication certificate (smartcard like) from a CA * [`crypto::stores`](/mimikatz/modules/crypto/stores.md) lists cryptographic stores * [`crypto::system`](/mimikatz/modules/crypto/system.md) it describes a Windows System Certificate * [`crypto::tpminfo`](/mimikatz/modules/crypto/tpminfo.md) displays information for the Microsoft's TPM Platform Crypto Provider ### dpapi * [`dpapi::blob`](/mimikatz/modules/dpapi/blob.md) describes a DPAPI blob and unprotects/decrypts it with API or Masterkey * [`dpapi::cache`](/mimikatz/modules/dpapi/cache.md) displays the credential cache of the DPAPI module * [`dpapi::capi`](/mimikatz/modules/dpapi/capi.md) decrypts a CryptoAPI private key file * [`dpapi::chrome`](/mimikatz/modules/dpapi/chrome.md) dumps stored credentials and cookies from Chrome * [`dpapi::cloudapkd`](/mimikatz/modules/dpapi/cloudapkd.md) is undocumented at the moment * [`dpapi::cloudapreg`](/mimikatz/modules/dpapi/cloudapreg.md) dumps azure credentials by querying the following registry location * [`dpapi::cng`](/mimikatz/modules/dpapi/cng.md) decrypts a given CNG private key file * [`dpapi::create`](/mimikatz/modules/dpapi/create.md) creates a DPAPI Masterkey file from raw key and metadata * [`dpapi::cred`](/mimikatz/modules/dpapi/cred.md) decrypts DPAPI saved credential such as RDP, Scheduled tasks, etc (cf. [dumping DPAPI secrets](https://www.thehacker.recipes/ad-ds/movement/credentials/dumping/dpapi-protected-secrets)) * [`dpapi::credhist`](/mimikatz/modules/dpapi/credhist.md) describes a Credhist file * [`dpapi::luna`](/mimikatz/modules/dpapi/luna.md) decrypts Safenet LunaHSM KSP * [`dpapi::masterkey`](/mimikatz/modules/dpapi/masterkey.md) describes a Masterkey file and unprotects each Masterkey (key depending). In other words, it can decrypt and request masterkeys from active directory * [`dpapi::protect`](/mimikatz/modules/dpapi/protect.md) protects data via a DPAPI call * [`dpapi::ps`](/mimikatz/modules/dpapi/ps.md) decrypts PowerShell credentials (PSCredentials or SecureString) * [`dpapi::rdg`](/mimikatz/modules/dpapi/rdg.md) decrypts Remote Desktop Gateway saved passwords * [`dpapi::sccm`](/mimikatz/modules/dpapi/sccm.md) is used to decrypt saved SCCM credentials * [`dpapi::ssh`](/mimikatz/modules/dpapi/ssh.md) extracts OpenSSH private keys * [`dpapi::tpm`](/mimikatz/modules/dpapi/tpm.md) decrypts TPM PCP key file ([Microsoft's TPM Platform Crypto Provider](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/setting-up-tpm-protected-certificates-using-a-microsoft/ba-p/1129055) (PCP)) * [`dpapi::vault`](/mimikatz/modules/dpapi/vault.md) decrypts DPAPI vault credentials from the [Credential Store](https://support.microsoft.com/en-us/windows/accessing-credential-manager-1b5c916a-6a16-889f-8581-fc16e8165ac0) * [`dpapi::wifi`](/mimikatz/modules/dpapi/wifi.md) decrypts saved Wi-Fi passwords * [`dpapi::wwman`](/mimikatz/modules/dpapi/wwan.md) decrypts Wwan credentials ### event * [`event::clear`](/mimikatz/modules/event/clear.md) clears a specified event log * [`event::drop`](/mimikatz/modules/event/drop.md) patches event services to avoid new events ( :warning: experimental) ### kerberos * [`kerberos::ask`](/mimikatz/modules/kerberos/ask.md) can be used to obtain Service Tickets. The Windows native command is [`klist get`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist) * [`kerberos::clist`](/mimikatz/modules/kerberos/clist.md) lists tickets in [MIT](https://web.mit.edu/kerberos/)/[Heimdall](https://github.com/heimdal/heimdal) ccache format. It can be useful with other tools (i.e. ones that support [Pass the Cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc)) * [`kerberos::golden`](/mimikatz/modules/kerberos/golden.md) can be used to [forge golden and silver tickets](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets). It can also be used for forging inter-realm trust keys * [`kerberos::hash`](/mimikatz/modules/kerberos/hash.md) computes the different types of Kerberos keys for a given password * [`kerberos::list`](/mimikatz/modules/kerberos/list.md) has a similar functionality to [`klist`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist) command without requiring elevated privileges. Unlike [`sekurlsa::tickets`](/mimikatz/modules/sekurlsa/tickets.md), this module does not interact with LSASS * [`kerberos::ptc`](/mimikatz/modules/kerberos/ptc.md) can be used to [pass the cache](https://www.thehacker.recipes/ad/movement/kerberos/ptc). This is similar to [`kerberos::ptt`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/ptt.md) that does pass the ticket but is different in the sense that the ticket used is a `.ccache` ticket instead of a `.kirbi` one * [`kerberos::ptt`](/mimikatz/modules/kerberos/ptt.md) is used for [passing the ticket](https://www.thehacker.recipes/ad/movement/kerberos/ptt) by injecting one or may Kerberos tickets in the current session. The ticket can either be a TGT (Ticket-Granting Ticket) or an ST (Service Ticket) * [`kerberos::purge`](/mimikatz/modules/kerberos/purge.md) purges all kerberos tickets similar to [`klist purge`](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist) * [`kerberos::tgt`](/mimikatz/modules/kerberos/tgt.md) retrieves a TGT (Ticket-Granting Ticket) for the current user ### lsadump * [`lsadump::backupkeys`](/mimikatz/modules/lsadump/backupkeys.md) dumps the DPAPI backup keys from the Domain Controller (cf. [dumping DPAPI secrets](https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets)) * [`lsadump::cache`](/mimikatz/modules/lsadump/cache.md) can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the `SysKey` to decrypt `NL$KM` (binary protected value) and then `MSCache(v1/v2)` * [`lsadump::changentlm`](/mimikatz/modules/lsadump/changentlm.md) can be used to change the password of a user * [`lsadump::dcshadow`](/mimikatz/modules/lsadump/dcshadow.md) TODO * [`lsadump::dcsync`](/mimikatz/modules/lsadump/dcsync.md) can be used to do a [DCSync](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync) and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol ([MS-DRSR](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN)) to request from a domain controller to synchronize a specified entry * [`lsadump::lsa`](/mimikatz/modules/lsadump/lsa.md) extracts hashes from memory by asking the LSA server. The `patch` or `inject` takes place on the fly * [`lsadump::mbc`](/mimikatz/modules/lsadump/mbc.md) dumps the Machine Bound Certificate. Devices on which Credential Guard is enabled are using Machine Bound Certificates * [`lsadump::netsync`](/mimikatz/modules/lsadump/netsync.md) can be used to act as a Domain Controller on a target by doing a [Silver Ticket](https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets#silver-ticket). It then leverages the [Netlogon](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f) to request the RC4 key (i.e. NT hash) of the target computer account * [`lsadump::packages`](/mimikatz/modules/lsadump/packages.md) lists the available Windows authentication mechanisms * [`lsadump::postzerologon`](/mimikatz/modules/lsadump/postzerologon.md) is a procedure to update AD domain password and its local stored password remotely mimic `netdom resetpwd` * [`lsadump::RpData`](/mimikatz/modules/lsadump/rpdata.md) can retrieve private data (*at the time of writing, Nov 1st 2021, we have no idea what this does or refers to* :man\_shrugging:) * [`lsadump::sam`](/mimikatz/modules/lsadump/sam.md) dumps the local Security Account Manager (SAM) NT hashes (cf. [SAM secrets dump](https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets)) * [`lsadump::secrets`](/mimikatz/modules/lsadump/secrets.md) can be used to [dump LSA secrets](https://www.thehacker.recipes/ad/movement/credentials/dumping/sam-and-lsa-secrets) from the registries. It retrieves the `SysKey` to decrypt `Secrets` entries * [`lsadump::setntlm`](/mimikatz/modules/lsadump/setntlm.md) can be used to perform a password reset without knowing the user's current password. It can be useful during an active directory [Access Control (ACL) abuse](https://www.thehacker.recipes/ad/movement/access-controls) scenario * [`lsadump::trust`](/mimikatz/modules/lsadump/trust.md) can be used for dumping the forest trust keys. Forest trust keys can be leveraged for forging inter-realm trust tickets. Since most of the EDRs are paying attention to the KRBTGT hash, this is a stealthy way to compromise forest trusts * [`lsadump::zerologon`](/mimikatz/modules/lsadump/zerologon.md) detects and exploits the [ZeroLogon](https://www.thehacker.recipes/ad/movement/netlogon/zerologon) vulnerability ### misc * [`misc::aadcookie`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/aadcookie.md) can be used to dump the Azure Panel's session cookie from `login.microsoftonline.com` * [`misc::clip`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/clip.md) monitors clipboard. `CTRL+C` stops the monitoring * [`misc::cmd`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/cmd.md) launches the command prompt * [`misc::compress`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/compress.md) performs a self compression of mimikatz * [`misc::detours`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/detours.md) is experimental and it tries to enumerate all modules with [Detours-like hooks](https://www.codeproject.com/Articles/30140/API-Hooking-with-MS-Detours) * [`misc::efs`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/efs.md) is Mimikatz's implementation of the [MS-EFSR abuse (PetitPotam)](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/ms-efsr), an authentication coercion technique * [`misc::lock`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/lock.md) locks the screen. It can come in handy with [`misc::memssp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/memssp.md) * [`misc::memssp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/memssp.md) patches LSASS by injecting a new Security Support Provider (a DLL is registered) * [`misc::mflt`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/mflt.md) identifies Windows minifilters inside mimikatz, without using **fltmc.exe**. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude) * [`misc::ncroutemon`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/ncroutemon.md) displays Juniper network connect (without route monitoring) * [`misc::ngcsign`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/ngcsign.md) can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key. * [`misc::printnightmare`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/printnightmare.md) can be used to exploit the [PrintNightMare](https://adamsvoboda.net/breaking-down-printnightmare-cve-2021-1675/) vulnerability in both \[[MS-RPRN RpcAddPrinterDriverEx](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b)] and \[[MS-PAR AddPrinterDriverEx](https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex)]. The bug was discovered by Zhiniang Peng ([@edwardzpeng](https://twitter.com/edwardzpeng?lang=en)) & Xuefeng Li ([@lxf02942370](https://twitter.com/lxf02942370?lang=en)) * [`misc::regedit`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/regedit.md) launches the registry editor * [`misc::sccm`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/sccm.md) decrypts the password field in the `SC_UserAccount` table in the SCCM database * [`misc::shadowcopies`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/shadowcopies.md) is used to list the available shadow copies on the system * [`misc::skeleton`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/skeleton.md) injects a "[Skeleton Key](https://www.thehacker.recipes/ad/persistence/skeleton-key)" into the LSASS process on the domain controller * [`misc::spooler`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/spooler.md) is Mimikat's implementation of the [MS-RPRN abuse (PrinterBug)](https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/ms-rprn), an authentication coercion technique * [`misc::taskmgr`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/taskmgr.md) launches the task manager * [`misc::wp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/wp.md) sets up a wallpaper * [`misc::xor`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/misc/xor.md) performs XOR decoding/encoding on a provided file with `0x42` default key ### net * [`net::alias`](/mimikatz/modules/net/alias.md) displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etc * [`net::deleg`](/mimikatz/modules/net/deleg.md) checks for the following types of [Kerberos delegations](https://www.thehacker.recipes/ad-ds/movement/kerberos/delegations) * [`net::group`](/mimikatz/modules/net/group.md) displays the local groups * [`net::if`](/mimikatz/modules/net/if.md) displays the available local IP addresses and the hostname * [`net::serverinfo`](/mimikatz/modules/net/serverinfo.md) displays information about the logged in server * [`net::session`](/mimikatz/modules/net/session.md) displays the active sessions through [NetSessionEnum()](https://web.archive.org/web/20201201223201/https://docs.microsoft.com/en-us/windows/win32/api/lmshare/nf-lmshare-netsessionenum) Win32 API function * [`net::share`](/mimikatz/modules/net/share.md) displays the available shares * [`net::stats`](/mimikatz/modules/net/stats.md) displays when the target was booted * [`net::tod`](/mimikatz/modules/net/tod.md) displays the current time * [`net::trust`](/mimikatz/modules/net/trust.md) displays information for the active directory forest trust(s) * [`net::user`](/mimikatz/modules/net/user.md) displays the local users * [`net::wsession`](/mimikatz/modules/net/wsession.md) displays the active sessions through [NetWkstaUserEnum()](https://web.archive.org/web/20190909155552/https://docs.microsoft.com/en-us/windows/win32/api/lmwksta/nf-lmwksta-netwkstauserenum) Win32 API function ### privilege * [`privilege::backup`](/mimikatz/modules/privilege/backup.md) requests the backup privilege (`SeBackupPrivilege`) * [`privilege::debug`](/mimikatz/modules/privilege/debug.md) requests the debug privilege (`SeDebugPrivilege`) * [`privilege::driver`](/mimikatz/modules/privilege/driver.md) requests the load driver privilege (`SeLoadDriverPrivilege`) * [`privilege::id`](/mimikatz/modules/privilege/id.md) requests a privilege by its `id` * [`privilege::name`](/mimikatz/modules/privilege/name.md) requests a privilege by its name * [`privilege::restore`](/mimikatz/modules/privilege/restore.md) requests the restore privilege (`SeRestorePrivilege`) * [`privilege::security`](/mimikatz/modules/privilege/security.md) requests the security privilege (`SeSecurityPrivilege`) * [`privilege::sysenv`](/mimikatz/modules/privilege/sysenv.md) requests the system environment privilege (`SeSystemEnvironmentPrivilege`) * [`privilege::tcb`](/mimikatz/modules/privilege/tcb.md) requests the tcb privilege (`SeTcbPrivilege`) ### process * [`process::exports`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/exports.md) lists all the exported functions from the DLLs each running process is using. If a\*\* \*\*`/pid` is not specified, then exports for `mimikatz.exe` will be displayed * [`process::imports`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/imports.md) lists all the imported functions from the DLLs each running process is using. If a\*\* \*\*`/pid` is not specified, then imports for `mimikatz.exe` will be displayed * [`process::list`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/list.md) lists all the running processes. It uses the [NtQuerySystemInformation](https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation) Windows Native API function * [`process::resume`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/resume.md) resumes a suspended process by using the [NtResumeProcess](https://www.geoffchappell.com/studies/windows/win32/ntdll/api/native.htm) Windows Native API function * [`process::run`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/run.md) creates a process by using the [CreateProcessAsUser](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera) Win32 API function. The [CreateEnvironmentBlock](https://docs.microsoft.com/en-us/windows/win32/api/userenv/nf-userenv-createenvironmentblock) is also utilized * [`process::runp`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/runp.md) runs a subprocess under a parent process (Default parent process is `LSASS.exe`). It can also be used for lateral movement and process spoofing * [`process::start`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/start.md) starts a process by using the [CreateProcess](https://web.archive.org/web/20170713150625/https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425.aspx) Win32 API function. The `PID` of the process is also displayed * [`process::stop`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/stop.md) terminates a process by using the [NtTerminateProcess](https://www.geoffchappell.com/studies/windows/win32/ntdll/api/native.htm) Windows Native API function. The Win32 API equal one is [TerminateProcess](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess) * [`process::suspend`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/modules/process/suspend.md) suspends a process by using the [NtSuspendProcess](https://ntopcode.wordpress.com/tag/ntsuspendprocess/) Windows Native API function ### rpc * [`rpc::close`](/mimikatz/modules/rpc/close.md) closes remote RPC sessions * [`rpc::connect`](/mimikatz/modules/rpc/connect.md) connects to an RPC endpoint * [`rpc::enum`](/mimikatz/modules/rpc/enum.md) enumerates RPC endpoints on a system * [`rpc::server`](/mimikatz/modules/rpc/server.md) starts an RPC server ### sekurlsa * [`sekurlsa::backupkeys`](/mimikatz/modules/sekurlsa/backupkeys.md) lists the preferred Backup Master keys * [`sekurlsa::bootkey`](/mimikatz/modules/sekurlsa/bootkey.md) sets the SecureKernel Boot Key and attempts to decrypt LSA Isolated credentials * [`sekurlsa::cloudap`](/mimikatz/modules/sekurlsa/cloudap.md) lists Azure (Primary Refresh Token) credentials based on the following research: [Digging further into the Primary Refresh Token](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/). [According to Benjamin](https://twitter.com/gentilkiwi/status/1291102498099527682?s=20): * [`sekurlsa::credman`](/mimikatz/modules/sekurlsa/credman.md) lists Credentials Manager by targeting the Microsoft Local Security Authority Server DLL ([lsasrv.dll](https://windows10dll.nirsoft.net/lsasrv_dll.html)) * [`sekurlsa::dpapi`](/mimikatz/modules/sekurlsa/dpapi.md) lists DPAPI cached masterkeys * [`sekurlsa::dpapisystem`](/mimikatz/modules/sekurlsa/dpapisystem.md) lists the `DPAPI_SYSTEM` secret key * [`sekurlsa::ekeys`](/mimikatz/modules/sekurlsa/ekeys.md) lists Kerberos encryption keys * [`sekurlsa::kerberos`](/mimikatz/modules/sekurlsa/kerberos.md) lists Kerberos credentials * [`sekurlsa::krbtgt`](/mimikatz/modules/sekurlsa/krbtgt.md) retrieves the krbtgt RC4 (i.e. NT hash), AES128 and AES256 hashes * [`sekurlsa::livessp`](/mimikatz/modules/sekurlsa/livessp.md) lists LiveSSP credentials. According to Microsoft, the LiveSSP provider is included by default in Windows 8 and later and is included in the Office 365 Sign-in Assistant * [`sekurlsa::logonpasswords`](/mimikatz/modules/sekurlsa/logonpasswords.md) lists all available provider credentials. This usually shows recently logged on user and computer credentials * [`sekurlsa::minidump`](/mimikatz/modules/sekurlsa/minidump.md) can be used against a dumped LSASS process file and it does not require administrative privileges. It's considered as an "offline" dump * [`sekurlsa::msv`](/mimikatz/modules/sekurlsa/msv.md) dumps and lists the NT hash (and other secrets) by targeting the [MSV1\_0 Authentication Package](https://docs.microsoft.com/en-us/windows/win32/secauthn/msv1-0-authentication-package) * [`sekurlsa::process`](/mimikatz/modules/sekurlsa/process.md) switches (or reinits) to LSASS process context. It can be used after [`sekurlsa::minidump`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/modules/minidump.md) * [`sekurlsa::pth`](/mimikatz/modules/sekurlsa/pth.md) performs [Pass-the-Hash](https://www.thehacker.recipes/ad/movement/ntlm/pth), [Pass-the-Key](https://www.thehacker.recipes/ad/movement/kerberos/ptk) and [Over-Pass-the-Hash](https://www.thehacker.recipes/ad/movement/kerberos/opth). Upon successful authentication, a program is run (n.b. defaulted to `cme.exe`) * [`sekurlsa::ssp`](/mimikatz/modules/sekurlsa/ssp.md) lists [Security Support Provider](https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture) (SSP) credentials * [`sekurlsa::tickets`](/mimikatz/modules/sekurlsa/tickets.md) lists Kerberos tickets belonging to all authenticated users on the target server/workstation. Unlike [`kerberos::list`](https://github.com/ShutdownRepo/The-Hacker-Tools/blob/master/mimikatz/process/list.md), sekurlsa uses memory reading and is not subject to key export restrictions. Sekurlsa can also access tickets of others sessions (users) * [`sekurlsa::trust`](/mimikatz/modules/sekurlsa/trust.md) retrieves the forest trust keys * [`sekurlsa::tspkg`](/mimikatz/modules/sekurlsa/tspkg.md) lists TsPkg credentials. This credentials provider is used for Terminal Server Authentication * [`sekurlsa::wdigest`](/mimikatz/modules/sekurlsa/wdigest.md) lists WDigest credentials. According to Microsoft, [WDigest.dll](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778868\(v%3dws.10\)) was introduced in the Windows XP operating system ### service * [`service::-`](/mimikatz/modules/service/undefined.md) removes the `mimikatzsvc` service * [`service::+`](/mimikatz/modules/service/+.md) installs the `mimikatzsvc` service by issuing `rpc::server service::me exit` * [`service::preshutdown`](/mimikatz/modules/service/preshutdown.md) pre-shuts down a specified service by sending a `SERVICE_CONTROL_PRESHUTDOWN` signal * [`service::remove`](/mimikatz/modules/service/remove.md) removes the specified service (It must be used with caution) * [`service::resume`](/mimikatz/modules/service/resume.md) resumes a specified service, after successful suspending, by sending a `SERVICE_CONTROL_CONTINUE` signal * [`service::shutdown`](/mimikatz/modules/service/shutdown.md) shuts down a specified service by sending a `SERVICE_CONTROL_SHUTDOWN` signal * [`service::start`](/mimikatz/modules/service/start.md) starts a service * [`service::stop`](/mimikatz/modules/service/stop.md) stops a specified service by sending a `SERVICE_CONTROL_STOP` signal * [`service::suspend`](/mimikatz/modules/service/suspend.md) suspends the specified service. It sends a `SERVICE_CONTROL_PAUSE` signal ### sid * [`sid::add`](/mimikatz/modules/sid/add.md) adds a SID to `sIDHistory` of an object * [`sid::clear`](/mimikatz/modules/sid/clear.md) clears the `sIDHistory` of a target object * [`sid::lookup`](/mimikatz/modules/sid/lookup.md) looks up an object by its SID or name * [`sid::modify`](/mimikatz/modules/sid/modify.md) modifies an object's SID * [`sid::patch`](/mimikatz/modules/sid/patch.md) patchs the NTDS (NT Directory Services). It's useful when running [`id::modify`](/mimikatz/modules/sid/modify.md) or [`sid::add`](/mimikatz/modules/sid/add.md) * [`sid::query`](/mimikatz/modules/sid/query.md) queries an object by its SID or name ### standard * [`standard::answer`](/mimikatz/modules/standard/answer.md) or `answer` provides an answer to [The Ultimate Question of Life, the Universe, and Everything!](https://hitchhikers.fandom.com/wiki/Ultimate_Question) :stars: * [`standard::base64`](/mimikatz/modules/standard/base64.md) or `base64` switches file input/output to base64 * [`standard::cd`](/mimikatz/modules/standard/cd.md) or `cd` can change or display the current directory. The changed directory is used for saving files * [`standard::cls`](/mimikatz/modules/standard/cls.md) or `cls` clears the screen * [`standard::coffee`](/mimikatz/modules/standard/coffee.md) or `coffee` is the most important command of all * [`standard::exit`](/mimikatz/modules/standard/exit.md) or `exit` quits Mimikatz after clearing routines * [`standard::hostname`](/mimikatz/modules/standard/hostname.md) or `hostname` displays system local hostname * [`standard::localtime`](/mimikatz/modules/standard/localtime.md) or `localtime` displays system local date and time * [`standard::log`](/mimikatz/modules/standard/log.md) or `log` logs mimikatz input/output to a file * [`standard::sleep`](/mimikatz/modules/standard/sleep.md) or `sleep` make Mimikatz sleep an amount of milliseconds * [`standard::version`](/mimikatz/modules/standard/version.md) or `version` displays the version in use of Mimikatz ### token * [`token::elevate`](/mimikatz/modules/token/elevate.md) can be used to impersonate a token. By default it will elevate permissions to `NT AUTHORITY\SYSTEM` * [`token::list`](/mimikatz/modules/token/list.md) lists all tokens on the system * [`token::revert`](/mimikatz/modules/token/revert.md) reverts to the previous token * [`token::run`](/mimikatz/modules/token/run.md) executes a process with its token * [`token::whoami`](/mimikatz/modules/token/whoami.md) displays the current token ### ts * [`ts::logonpasswords`](/mimikatz/modules/ts/logonpasswords.md) extracts clear text credentials from RDP running sessions (server side) * [`ts::mstsc`](/mimikatz/modules/ts/mstsc.md) extracts cleartext credentials from the mstsc process (client side) * [`ts::multirdp`](/mimikatz/modules/ts/multirdp.md) enables multiple RDP connections on the target server * [`ts::remote`](/mimikatz/modules/ts/remote.md) performs RDP takeover/hijacking of active sessions * [`ts::sessions`](/mimikatz/modules/ts/sessions.md) lists the current RDP sessions. It comes in handy for RDP hijacking ### vault * [`vault::cred`](/mimikatz/modules/vault/cred.md) enumerates vault credentials * [`vault::list`](/mimikatz/modules/vault/list.md) lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tools.thehacker.recipes/mimikatz/modules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.