\documentclass[10pt,a4paper]{article}

% Packages
\usepackage{fancyhdr}           % For header and footer
\usepackage{multicol}           % Allows multicols in tables
\usepackage{tabularx}           % Intelligent column widths
\usepackage{tabulary}           % Used in header and footer
\usepackage{hhline}             % Border under tables
\usepackage{graphicx}           % For images
\usepackage{xcolor}             % For hex colours
%\usepackage[utf8x]{inputenc}    % For unicode character support
\usepackage[T1]{fontenc}        % Without this we get weird character replacements
\usepackage{colortbl}           % For coloured tables
\usepackage{setspace}           % For line height
\usepackage{lastpage}           % Needed for total page number
\usepackage{seqsplit}           % Splits long words.
%\usepackage{opensans}          % Can't make this work so far. Shame. Would be lovely.
\usepackage[normalem]{ulem}     % For underlining links
% Most of the following are not required for the majority
% of cheat sheets but are needed for some symbol support.
\usepackage{amsmath}            % Symbols
\usepackage{MnSymbol}           % Symbols
\usepackage{wasysym}            % Symbols
%\usepackage[english,german,french,spanish,italian]{babel}              % Languages

% Document Info
\author{HangryHippo (wbtaylor)}
\pdfinfo{
  /Title (basic-mimikatz-usage.pdf)
  /Creator (Cheatography)
  /Author (HangryHippo (wbtaylor))
  /Subject (Basic Mimikatz Usage Cheat Sheet)
}

% Lengths and widths
\addtolength{\textwidth}{6cm}
\addtolength{\textheight}{-1cm}
\addtolength{\hoffset}{-3cm}
\addtolength{\voffset}{-2cm}
\setlength{\tabcolsep}{0.2cm} % Space between columns
\setlength{\headsep}{-12pt} % Reduce space between header and content
\setlength{\headheight}{85pt} % If less, LaTeX automatically increases it
\renewcommand{\footrulewidth}{0pt} % Remove footer line
\renewcommand{\headrulewidth}{0pt} % Remove header line
\renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit
% This two commands together give roughly
% the right line height in the tables
\renewcommand{\arraystretch}{1.3}
\onehalfspacing

% Commands
\newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour
\newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols
\newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns
\newcommand{\tn}{\tabularnewline} % Required as custom column type in use

% Font and Colours
\definecolor{HeadBackground}{HTML}{333333}
\definecolor{FootBackground}{HTML}{666666}
\definecolor{TextColor}{HTML}{333333}
\definecolor{DarkBackground}{HTML}{7D0053}
\definecolor{LightBackground}{HTML}{F6EFF4}
\renewcommand{\familydefault}{\sfdefault}
\color{TextColor}

% Header and Footer
\pagestyle{fancy}
\fancyhead{} % Set header to blank
\fancyfoot{} % Set footer to blank
\fancyhead[L]{
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{C}
    \SetRowColor{DarkBackground}
    \vspace{-7pt}
    {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent
        \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}}
    }
\end{tabulary}
\columnbreak
\begin{tabulary}{11cm}{L}
    \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Basic Mimikatz Usage Cheat Sheet}}}} \\
    \normalsize{by \textcolor{DarkBackground}{HangryHippo (wbtaylor)} via \textcolor{DarkBackground}{\uline{cheatography.com/147129/cs/31951/}}}
\end{tabulary}
\end{multicols}}

\fancyfoot[L]{ \footnotesize
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{LL}
  \SetRowColor{FootBackground}
  \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}}  \\
  \vspace{-2pt}HangryHippo (wbtaylor) \\
  \uline{cheatography.com/wbtaylor} \\
  \end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}}  \\
   \vspace{-2pt}Published 1st May, 2022.\\
   Updated 2nd May, 2022.\\
   Page {\thepage} of \pageref{LastPage}.
\end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}}  \\
  \SetRowColor{white}
  \vspace{-5pt}
  %\includegraphics[width=48px,height=48px]{dave.jpeg}
  Measure your website readability!\\
  www.readability-score.com
\end{tabulary}
\end{multicols}}




\begin{document}
\raggedright
\raggedcolumns

% Set font size to small. Switch to any value
% from this page to resize cheat sheet text:
% www.emerson.emory.edu/services/latex/latex_169.html
\footnotesize % Small font.

\begin{multicols*}{3}

\begin{tabularx}{5.377cm}{x{1.24425 cm} x{3.73275 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{MODULES}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{standard}} & This is the main module of mimikatz, it contains quick commands to operate with the tool. For this particular one, no need to prefix command by the module name (but it works too), eg: exit is the same as standard::exit. \tn 
% Row Count 8 (+ 8)
% Row 1
\SetRowColor{white}
{\bf{privilege}} & This module provides some commands to manipulate privilege on mimikatz process. \tn 
% Row Count 11 (+ 3)
% Row 2
\SetRowColor{LightBackground}
{\bf{crypto}} & This module, one of the oldest, plays with CryptoAPI functions. Basically it's a little certutil that benefit of token impersonation, patch legacy CryptoAPI functions and patch CNG key isolation service. \tn 
% Row Count 18 (+ 7)
% Row 3
\SetRowColor{white}
{\bf{sekurlsa}} & This module extracts passwords, keys, pin codes, tickets from the memory of lsass (Local Security Authority Subsystem Service) \tn 
% Row Count 23 (+ 5)
% Row 4
\SetRowColor{LightBackground}
{\bf{kerberos}} & This module can be used without any privilege. It permits to play with official Microsoft Kerberos API and to create offline 'Golden tickets', free, long duration TGT tickets for any users \tn 
% Row Count 30 (+ 7)
\end{tabularx}
\par\addvspace{1.3em}

\vfill
\columnbreak
\begin{tabularx}{5.377cm}{x{1.24425 cm} x{3.73275 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{MODULES (cont)}}  \tn
% Row 5
\SetRowColor{LightBackground}
{\bf{lsadump}} & This module interacts with the Windows Local Security Authority (LSA) to extract credentials. Most of these commands require either debug rights (privlege::debug) or local System. By default, the Administrators group has Debug rights. Debug still has to be "activated" by running "privilege::debug". \tn 
% Row Count 11 (+ 11)
% Row 6
\SetRowColor{white}
{\bf{vault}} & This module dumps passwords saved in the Windows Vault. \tn 
% Row Count 13 (+ 2)
% Row 7
\SetRowColor{LightBackground}
{\bf{token}} & This module deals with the Windows tokens (who does not really like elevating to NT AUTHORITY\textbackslash{} SYSTEM). \tn 
% Row Count 17 (+ 4)
% Row 8
\SetRowColor{white}
{\bf{event}} & This module deals with the Windows Event logs (to clear footprints after compromise). \tn 
% Row Count 20 (+ 3)
% Row 9
\SetRowColor{LightBackground}
{\bf{ts}} & This module deals with the Terminal Services. It can be an alternative for getting clear-text passwords. \tn 
% Row Count 24 (+ 4)
% Row 10
\SetRowColor{white}
{\bf{process}} & This module deals with Windows processes. It can also be used for process injection and parent process spoofing. \tn 
% Row Count 28 (+ 4)
% Row 11
\SetRowColor{LightBackground}
{\bf{service}} & This module can interact with Windows services plus installing the mimikatzsvc service. \tn 
% Row Count 31 (+ 3)
\end{tabularx}
\par\addvspace{1.3em}

\vfill
\columnbreak
\begin{tabularx}{5.377cm}{x{1.24425 cm} x{3.73275 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{MODULES (cont)}}  \tn
% Row 12
\SetRowColor{LightBackground}
{\bf{net}} & some functionalities in this module are similar to the Windows net commands. Enumerating sessions and servers configured with different types of Kerberos delegations is also included. \tn 
% Row Count 7 (+ 7)
% Row 13
\SetRowColor{white}
{\bf{misc}} & This module is kind of a catch-all for commands that don't quite fit elsewhere. The most well known commands in this module are MISC::AddSID, MISC::MemSSP, and MISC::Skeleton. \tn 
% Row Count 13 (+ 6)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.44333 cm} x{3.53367 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{CRYPTO}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{providers}} & This command list all providers: CryptoAPI, then CNG if available (NT 6). \tn 
% Row Count 3 (+ 3)
% Row 1
\SetRowColor{white}
{\bf{stores}} & This command lists logical store in a system store. \tn 
% Row Count 5 (+ 2)
% Row 2
\SetRowColor{LightBackground}
{\bf{sc}} & This command lists smartcard/token reader(s) on, or deported to, the system. When the CSP is available, it tries to list keys on the smartcard. \tn 
% Row Count 11 (+ 6)
% Row 3
\SetRowColor{white}
{\bf{scauth}} & This command creates a client certificate for smartcard authentication, signed by a Certificate Authority \tn 
% Row Count 15 (+ 4)
% Row 4
\SetRowColor{LightBackground}
{\bf{certificates}} & This command lists certificates and properties of theirs keys. It can export certificates too. \tn 
% Row Count 19 (+ 4)
% Row 5
\SetRowColor{white}
{\bf{keys}} & This command lists keys, by provider. It can export keys too. \tn 
% Row Count 22 (+ 3)
% Row 6
\SetRowColor{LightBackground}
{\bf{capi}} & This patch modify a CryptoAPI function, in the mimikatz process, in order to make unexportable keys, exportable (no specifig right other than access to the private key is needed)  This is only useful when the keys provider is one of:  Microsoft Base Cryptographic Provider v1.0, Microsoft Enhanced Cryptographic Provider v1.0, Microsoft Enhanced RSA and AES Cryptographic Provider, Microsoft RSA SChannel Cryptographic Provider, Microsoft Strong Cryptographic Provider \tn 
% Row Count 39 (+ 17)
\end{tabularx}
\par\addvspace{1.3em}

\vfill
\columnbreak
\begin{tabularx}{5.377cm}{x{1.44333 cm} x{3.53367 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{CRYPTO (cont)}}  \tn
% Row 7
\SetRowColor{LightBackground}
{\bf{cng}} & This patch modify KeyIso service, in LSASS process, in order to make unexportable keys, exportable.  This is only useful when the keys provider is Microsoft Software Key Storage Provider (you do not need to patch CNG for other providers). \tn 
% Row Count 9 (+ 9)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{0.84609 cm} x{4.13091 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{VAULT}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{cred}} & Enumerates vault credentials \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
{\bf{list}} & Lists saved credentials in the Windows Vault such as scheduled tasks, RDP, Internet Explorer for the current user \tn 
% Row Count 6 (+ 4)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.14471 cm} x{3.83229 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{TS}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{multirdp}} & (experimental) Patch Terminal Server service to allow multiple users \tn 
% Row Count 3 (+ 3)
% Row 1
\SetRowColor{white}
{\bf{sessions}} & List TS/RDP sessions. \tn 
% Row Count 5 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.09494 cm} x{3.88206 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{STANDARD}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{exit}} & Quits mimikatz, after cleaning routines. \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
{\bf{cls}} & Clears screen, by filling the console window with spaces. \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
{\bf{answer}} & Gives the Answer to the Ultimate Question of Life, the Universe, and Everything. \tn 
% Row Count 7 (+ 3)
% Row 3
\SetRowColor{white}
{\bf{coffee}} & Because everyone deserves a good coffee. \tn 
% Row Count 9 (+ 2)
% Row 4
\SetRowColor{LightBackground}
{\bf{sleep}} & Sleeps an amount of milliseconds (1000 ms by default). \tn 
% Row Count 11 (+ 2)
% Row 5
\SetRowColor{white}
{\bf{log}} & Logs all outputs to a file (mimikatz.log by default). \tn 
% Row Count 13 (+ 2)
% Row 6
\SetRowColor{LightBackground}
{\bf{base64}} & Switches from file writing on the disk, to Base64 output instead. \tn 
% Row Count 16 (+ 3)
% Row 7
\SetRowColor{white}
{\bf{version}} & Displays versions of mimikatz and Windows \tn 
% Row Count 18 (+ 2)
% Row 8
\SetRowColor{LightBackground}
{\bf{cd}} & Change or display current directory \tn 
% Row Count 20 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.59264 cm} x{3.38436 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{SEKURLSA}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{logonpasswords}} & Lists all available provider credentials. This usually shows recently logged on user and computer credentials. \tn 
% Row Count 5 (+ 5)
% Row 1
\SetRowColor{white}
{\bf{pth}} & Pass-the-Hash and Over-Pass-the-Hash (aka pass the key). \tn 
% Row Count 8 (+ 3)
% Row 2
\SetRowColor{LightBackground}
{\bf{tickets}} & List and export Kerberos tickets of all sessions. \tn 
% Row Count 10 (+ 2)
% Row 3
\SetRowColor{white}
{\bf{ekeys}} & List Kerberos encryption keys \tn 
% Row Count 12 (+ 2)
% Row 4
\SetRowColor{LightBackground}
{\bf{dpapi}} & Read masterkeys from memory \tn 
% Row Count 13 (+ 1)
% Row 5
\SetRowColor{white}
{\bf{minidump}} & Switch to LSASS minidump process context \tn 
% Row Count 15 (+ 2)
% Row 6
\SetRowColor{LightBackground}
{\bf{process}} & Switches (or reinits) to LSASS process context \tn 
% Row Count 17 (+ 2)
% Row 7
\SetRowColor{white}
{\bf{searchpasswords}} & Present username and passwords available in memory \tn 
% Row Count 19 (+ 2)
% Row 8
\SetRowColor{LightBackground}
{\bf{msv}} & Responsible for collecting password hashes from the LSASS address space \tn 
% Row Count 22 (+ 3)
% Row 9
\SetRowColor{white}
{\bf{wdigest}} & List WDigest credentials \tn 
% Row Count 23 (+ 1)
% Row 10
\SetRowColor{LightBackground}
{\bf{kerberos}} & List Kerberos credentials for all authenticated users (including services and computer account) \tn 
% Row Count 27 (+ 4)
% Row 11
\SetRowColor{white}
{\bf{tspkg}} & Used for Terminal Server authentication \tn 
% Row Count 29 (+ 2)
% Row 12
\SetRowColor{LightBackground}
{\bf{krbtg}} & Get Domain Kerberos service account (KRBTGT)password data \tn 
% Row Count 32 (+ 3)
\end{tabularx}
\par\addvspace{1.3em}

\vfill
\columnbreak
\begin{tabularx}{5.377cm}{x{1.59264 cm} x{3.38436 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{SEKURLSA (cont)}}  \tn
% Row 13
\SetRowColor{LightBackground}
{\bf{ssp}} & Lists Security Support Provider credentials \tn 
% Row Count 2 (+ 2)
% Row 14
\SetRowColor{white}
{\bf{credman}} & List Credentials Manager \tn 
% Row Count 3 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{0.89586 cm} x{4.08114 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{EVENT}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{clear}} & Clear an event log \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
{\bf{drop}} & (experimental) Patch Events service to avoid new events \tn 
% Row Count 4 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\SetRowColor{LightBackground}
\mymulticolumn{2}{x{5.377cm}}{Run privilege::debug then event::drop to patch the event log.  Then run Event::Clear to clear the event log without any log cleared event (1102) being logged.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.54287 cm} x{3.43413 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{SERVICE}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{+ (plus sign)}} & Install Mimikatz service ('mimikatzsvc') \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
{\bf{- (minus sign)}} & Uninstall Mimikatz service ('mimikatzsvc') \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
{\bf{list}} & List Services \tn 
% Row Count 5 (+ 1)
% Row 3
\SetRowColor{white}
{\bf{preshutdown}} & Pre-shuts down a specified service by sending a \seqsplit{SERVICE\_CONTROL\_PRESHUTDOWN} signal \tn 
% Row Count 9 (+ 4)
% Row 4
\SetRowColor{LightBackground}
{\bf{remove}} & Removes the specified service (It must be used with caution) \tn 
% Row Count 12 (+ 3)
% Row 5
\SetRowColor{white}
{\bf{resume}} & Resumes a specified service, after successful suspending, by sending a \seqsplit{SERVICE\_CONTROL\_CONTINUE} signal \tn 
% Row Count 16 (+ 4)
% Row 6
\SetRowColor{LightBackground}
{\bf{shutdown}} & Shuts down a specified service by sending a \seqsplit{SERVICE\_CONTROL\_SHUTDOWN} signal \tn 
% Row Count 19 (+ 3)
% Row 7
\SetRowColor{white}
{\bf{start}} & Start a service \tn 
% Row Count 20 (+ 1)
% Row 8
\SetRowColor{LightBackground}
{\bf{stop}} & Stops a specified service by sending a SERVICE\_CONTROL\_STOP signal \tn 
% Row Count 23 (+ 3)
% Row 9
\SetRowColor{white}
{\bf{suspend}} & Suspend the service. It sends a SERVICE\_CONTROL\_PAUSE signal \tn 
% Row Count 26 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.54287 cm} x{3.43413 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{MISC}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{aadcookie}} & Can be used to dump the Azure Panel's session cookie from \seqsplit{login.microsoftonline.com} \tn 
% Row Count 4 (+ 4)
% Row 1
\SetRowColor{white}
{\bf{clip}} & Monitors clipboard. CTRL+C stops the monitoring \tn 
% Row Count 6 (+ 2)
% Row 2
\SetRowColor{LightBackground}
{\bf{cmd}} & Launches the command prompt \tn 
% Row Count 7 (+ 1)
% Row 3
\SetRowColor{white}
{\bf{compress}} & Performs a self compression of mimikatz \tn 
% Row Count 9 (+ 2)
% Row 4
\SetRowColor{LightBackground}
{\bf{detours}} & (Experimental) Tries to enumerate all modules with Detours-like hooks \tn 
% Row Count 12 (+ 3)
% Row 5
\SetRowColor{white}
{\bf{efs}} & Mimikatz's implementation of the MS-EFSR abuse (PetitPotam), an authentication coercion technique \tn 
% Row Count 16 (+ 4)
% Row 6
\SetRowColor{LightBackground}
{\bf{lock}} & Locks the screen. It can come in handy with misc::memssp \tn 
% Row Count 19 (+ 3)
% Row 7
\SetRowColor{white}
{\bf{memssp}} & Patches LSASS by injecting a new Security Support Provider (a DLL is registered) \tn 
% Row Count 22 (+ 3)
% Row 8
\SetRowColor{LightBackground}
{\bf{mflt}} & Identifies Windows minifilters inside mimikatz, without using fltmc.exe. It can also assist in fingerprinting security products, by altitude too (Gathers details on loaded drivers, including driver altitude) \tn 
% Row Count 30 (+ 8)
\end{tabularx}
\par\addvspace{1.3em}

\vfill
\columnbreak
\begin{tabularx}{5.377cm}{x{1.54287 cm} x{3.43413 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{MISC (cont)}}  \tn
% Row 9
\SetRowColor{LightBackground}
{\bf{ncroutemon}} & Displays Juniper network connect (without route monitoring) \tn 
% Row Count 3 (+ 3)
% Row 10
\SetRowColor{white}
{\bf{ngcsign}} & Can be used to dump the NGC key (Windows Hello keys) signed with the symmetric pop key. \tn 
% Row Count 7 (+ 4)
% Row 11
\SetRowColor{LightBackground}
{\bf{printnightmare}} & Can be used to exploit the PrintNightMare vulnerability in both {[}MS-RPRN RpcAddPrinterDriverEx{]} and {[}MS-PAR AddPrinterDriverEx{]}. \tn 
% Row Count 12 (+ 5)
% Row 12
\SetRowColor{white}
{\bf{regedit}} & Launches the registry editor \tn 
% Row Count 14 (+ 2)
% Row 13
\SetRowColor{LightBackground}
{\bf{sccm}} & Decrypts the password field in the SC\_UserAccount table in the SCCM database \tn 
% Row Count 17 (+ 3)
% Row 14
\SetRowColor{white}
{\bf{shadowcopies}} & Used to list the available shadow copies on the system \tn 
% Row Count 19 (+ 2)
% Row 15
\SetRowColor{LightBackground}
{\bf{skeleton}} & Injects a "Skeleton Key" into the LSASS process on the domain controller \tn 
% Row Count 22 (+ 3)
% Row 16
\SetRowColor{white}
{\bf{spooler}} & Mimikat's implementation of the MS-RPRN abuse (PrinterBug), an authentication coercion technique \tn 
% Row Count 26 (+ 4)
% Row 17
\SetRowColor{LightBackground}
{\bf{taskmgr}} & Launches the task manager \tn 
% Row Count 27 (+ 1)
% Row 18
\SetRowColor{white}
{\bf{wp}} & Sets up a wallpaper \tn 
% Row Count 28 (+ 1)
% Row 19
\SetRowColor{LightBackground}
{\bf{xor}} & Performs XOR decoding/encoding on a provided file with 0x42 default key \tn 
% Row Count 31 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{0.89586 cm} x{4.08114 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{PRIVILEGE}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{debug}} & Ask for debug privilege for mimikatz process. \tn 
% Row Count 2 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\SetRowColor{LightBackground}
\mymulticolumn{2}{x{5.377cm}}{The debug privilege allows someone to debug a process that they wouldn't otherwise have access to. For example, a process running as a user with the debug privilege enabled on its token can debug a service running as local system. \newline Remark: ERROR \seqsplit{kuhl\_m\_privilege\_simple} ; RtlAdjustPrivilege (20) c0000061 means that the required privilege is not held by the client}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.29402 cm} x{3.68298 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{LSADUMP}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{sam}} & This command dumps the Security Account Managers (SAM) database. It contains NTLM, and sometimes LM hash, of users passwords. \tn 
% Row Count 5 (+ 5)
% Row 1
\SetRowColor{white}
{\bf{secrets}} & Get the SysKey to decrypt SECRETS entries (from registry or hives). \tn 
% Row Count 8 (+ 3)
% Row 2
\SetRowColor{LightBackground}
{\bf{setntlm}} & Used to perform a password reset without knowing the user's current password. It can be useful during an active directory Access Control (ACL) abuse scenario \tn 
% Row Count 14 (+ 6)
% Row 3
\SetRowColor{white}
{\bf{lsa}} & Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: "/name:krbtgt" \tn 
% Row Count 24 (+ 10)
% Row 4
\SetRowColor{LightBackground}
{\bf{dcsync}} & Ask a DC to synchronize an object (get password data for account). No need to run code on DC. \tn 
% Row Count 28 (+ 4)
% Row 5
\SetRowColor{white}
{\bf{trust}} & Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest). \tn 
% Row Count 34 (+ 6)
\end{tabularx}
\par\addvspace{1.3em}

\vfill
\columnbreak
\begin{tabularx}{5.377cm}{x{1.29402 cm} x{3.68298 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{LSADUMP (cont)}}  \tn
% Row 6
\SetRowColor{LightBackground}
{\bf{backupkeys}} & Dumps the DPAPI backup keys from the Domain Controller \tn 
% Row Count 2 (+ 2)
% Row 7
\SetRowColor{white}
{\bf{cache}} & Can be used to enumerate Domain Cached Credentials from registry. It does so by acquiring the SysKey to decrypt NL\$KM (binary protected value) and then MSCache(v1/v2) \tn 
% Row Count 8 (+ 6)
% Row 8
\SetRowColor{LightBackground}
{\bf{changentlm}} & Used to change the password of a user \tn 
% Row Count 10 (+ 2)
% Row 9
\SetRowColor{white}
{\bf{zerologon}} & Detects and exploits the ZeroLogon vulnerability \tn 
% Row Count 12 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.59264 cm} x{3.38436 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{KERBEROS}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{ptt}} & Pass-the-Ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust). \tn 
% Row Count 4 (+ 4)
% Row 1
\SetRowColor{white}
{\bf{golden / silver}} & This command create Kerberos ticket, a TGT or a TGS with arbitrary data, for any user you want, in groups you want \tn 
% Row Count 9 (+ 5)
% Row 2
\SetRowColor{LightBackground}
{\bf{tgt}} & Displays informations about the TGT of the current session. \tn 
% Row Count 12 (+ 3)
% Row 3
\SetRowColor{white}
{\bf{list}} & Lists and export Kerberos tickets (TGT and TGS) of the current session. \tn 
% Row Count 15 (+ 3)
% Row 4
\SetRowColor{LightBackground}
{\bf{purge}} & Purges all tickets of the current session. \tn 
% Row Count 17 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.09494 cm} x{3.88206 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{TOKEN}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{elevate}} & Used to impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box using the Windows API. \tn 
% Row Count 5 (+ 5)
% Row 1
\SetRowColor{white}
{\bf{list}} & List all tokens of the system \tn 
% Row Count 6 (+ 1)
% Row 2
\SetRowColor{LightBackground}
{\bf{revert}} & Revert to previous token \tn 
% Row Count 8 (+ 2)
% Row 3
\SetRowColor{white}
{\bf{run}} & Executes a process with its token \tn 
% Row Count 10 (+ 2)
% Row 4
\SetRowColor{LightBackground}
{\bf{whoami}} & Display current identity \tn 
% Row Count 12 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.09494 cm} x{3.88206 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{PROCESS}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{exports}} & Lists all the exported functions from the DLLs each running process is using. If a{\bf{ }}/pid is not specified, then exports for mimikatz.exe will be displayed \tn 
% Row Count 6 (+ 6)
% Row 1
\SetRowColor{white}
{\bf{imports}} & Lists all the imported functions from the DLLs each running process is using. If a{\bf{ }}/pid is not specified, then imports for mimikatz.exe will be displayed \tn 
% Row Count 12 (+ 6)
% Row 2
\SetRowColor{LightBackground}
{\bf{list}} & Lists all running processes. It uses the NtQuerySystemInformation Windows Native API function \tn 
% Row Count 15 (+ 3)
% Row 3
\SetRowColor{white}
{\bf{resume}} & Resumes a suspended process by using the NtResumeProcess Windows Native API function \tn 
% Row Count 18 (+ 3)
% Row 4
\SetRowColor{LightBackground}
{\bf{start}} & Starts a process by using the CreateProcess Win32 API function. The PID of the process is also displayed \tn 
% Row Count 22 (+ 4)
% Row 5
\SetRowColor{white}
{\bf{stop}} & Terminates a process by using the NtTerminateProcess Windows Native API function. The Win32 API equal one is TerminateProcess \tn 
% Row Count 27 (+ 5)
% Row 6
\SetRowColor{LightBackground}
{\bf{suspend}} & Suspends a process by using the NtSuspendProcess Windows Native API function \tn 
% Row Count 30 (+ 3)
\end{tabularx}
\par\addvspace{1.3em}

\vfill
\columnbreak
\begin{tabularx}{5.377cm}{x{1.09494 cm} x{3.88206 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{PROCESS (cont)}}  \tn
% Row 7
\SetRowColor{LightBackground}
{\bf{run}} & Creates a process by using the CreateProcessAsUser Win32 API function. The CreateEnvironmentBlock is also utilized \tn 
% Row Count 4 (+ 4)
% Row 8
\SetRowColor{white}
{\bf{runp}} & Runs a subprocess under a parent process (Default parent process is LSASS.exe). It can also be used for lateral movement and process spoofing \tn 
% Row Count 9 (+ 5)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{5.377cm}{x{1.29402 cm} x{3.68298 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{5.377cm}}{\bf\textcolor{white}{NET}}  \tn
% Row 0
\SetRowColor{LightBackground}
{\bf{alias}} & Displays more information about the local group memberships including Remote Desktop Users, Distributed COM Users, etc \tn 
% Row Count 5 (+ 5)
% Row 1
\SetRowColor{white}
{\bf{deleg}} & Checks for Kerberos delegations \tn 
% Row Count 7 (+ 2)
% Row 2
\SetRowColor{LightBackground}
{\bf{group}} & Displays the local groups \tn 
% Row Count 8 (+ 1)
% Row 3
\SetRowColor{white}
{\bf{if}} & Displays the available local IP addresses and the hostname \tn 
% Row Count 10 (+ 2)
% Row 4
\SetRowColor{LightBackground}
{\bf{serverinfo}} & Displays information about the logged in server \tn 
% Row Count 12 (+ 2)
% Row 5
\SetRowColor{white}
{\bf{session}} & Displays the active sessions through NetSessionEnum() Win32 API function \tn 
% Row Count 15 (+ 3)
% Row 6
\SetRowColor{LightBackground}
{\bf{share}} & Displays the available shares \tn 
% Row Count 16 (+ 1)
% Row 7
\SetRowColor{white}
{\bf{stats}} & Displays when the target was booted \tn 
% Row Count 18 (+ 2)
% Row 8
\SetRowColor{LightBackground}
{\bf{tod}} & Displays the current time \tn 
% Row Count 19 (+ 1)
% Row 9
\SetRowColor{white}
{\bf{trust}} & Displays information for the active directory forest trust(s) \tn 
% Row Count 22 (+ 3)
% Row 10
\SetRowColor{LightBackground}
{\bf{user}} & Displays the local users \tn 
% Row Count 23 (+ 1)
% Row 11
\SetRowColor{white}
{\bf{wsession}} & Displays the active sessions through NetWkstaUserEnum() Win32 API function \tn 
% Row Count 26 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}


% That's all folks
\end{multicols*}

\end{document}