net
Query Active Directory and local system user/group information. Similar to the built-in net command but leverages token impersonation context.
user β List Users
Enumerate users in the domain or local system.
mimikatz # net::user [/user:<username>] [/domain:<domain>]
Options
/user:<username>β query a specific user/domain:<domain>β target domain (default: current)
Examples
# List all users in current domain
mimikatz # net::user
# Query specific user
mimikatz # net::user /user:<username> /domain:<domain>
localgroup β List Local Groups
Enumerate members of local groups.
mimikatz # net::localgroup [/group:<groupname>] [/target:<hostname>]
Options
/group:<groupname>β specific group to enumerate (default: all)/target:<hostname>β remote target (default: localhost)
Examples
# List all local groups
mimikatz # net::localgroup
# List members of Administrators
mimikatz # net::localgroup /group:Administrators
# List on remote machine
mimikatz # net::localgroup /group:Administrators /target:<computer>.<domain>
group β List Domain Groups
Enumerate domain group membership.
mimikatz # net::group [/group:<groupname>] [/domain:<domain>]
Options
/group:<groupname>β specific group to query/domain:<domain>β target domain
Examples
# List all domain groups
mimikatz # net::group
# List Domain Admins members
mimikatz # net::group /group:"Domain Admins" /domain:<domain>
Notes
- These commands use the Windows Net APIs, not LDAP β behavior depends on domain trust and current token
- For richer enumeration, prefer
lsadump::dcsync /allor PowerView/BloodHound net::localgroupon a remote machine requires appropriate network access and privileges