misc module command reference
The misc module bundles a diverse set of operational helpers that are exposed as misc::command inside the mimikatz console.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L8-L41】
Each subsection below explains what the command does, the flags it understands, and why you would choose each option when automating offensive or defensive workflows.
misc::cmdPurpose. Patch a suspended cmd.exe image to rename the DisableCMD policy string so that command prompt group policy restrictions are bypassed before the process is resumed.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L43-L47】
Flags. None.
misc::regeditPurpose. Launches a patched regedit.exe so the DisableRegistryTools policy block is removed during process startup.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L49-L53】
Flags. None.
misc::taskmgrPurpose. Spawns a patched taskmgr.exe to ignore the DisableTaskMgr restriction configured via group policy.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L55-L58】
Flags. None.
misc::ncroutemonPurpose. Patches Juniper Network Connect’s route monitor routine (dsNcService) according to OS build specific byte patterns, disabling forced route monitoring when the service next runs.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L61-L68】
Flags. None.
misc::detoursPurpose. Enumerates every accessible process, inspects each loaded module, and walks exported functions to highlight Detours-style jump targets that redirect execution outside the owning image.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L69-L205】
Flags. None.
misc::memsspPurpose. Injects a custom SpAcceptCredentials trampoline inside LSASS to log clear-text credentials with standard C runtime file calls, adapting to OS build specific signatures.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L500-L595】
Flags. None.
misc::skeletonPurpose. Patches Kerberos cryptographic providers inside LSASS so RC4 keys are replaced with attacker controlled material, and optionally skips AES-related updates on legacy or /letaes runs.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L660-L724】
/letaes — Forces the routine to only touch the RC4 pathway, which is necessary on pre-Vista systems or when you want to avoid altering AES key material.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L678-L704】misc::compressPurpose. Compress a file in-memory and write the resulting blob to disk while displaying size statistics.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L754-L787】
/input:<path> — Selects the source file to compress; defaults to the current mimikatz executable when omitted because _wpgmptr is supplied.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L761-L768】 Use it to target arbitrary payloads instead of the default binary./output:<path> — Specifies where the compressed data is written, defaulting to mimikatz_<arch>.compressed; override it when staging data for exfiltration or tooling pipelines.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L764-L776】misc::lockPurpose. Locates a proxy process (default explorer.exe) and remotely calls LockWorkStation inside it to trigger a workstation lock from another session.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L789-L861】
/process:<image> — Chooses which process should host the injected lock routine; change it when the default Explorer instance is not available or to minimise forensic traces in a specific process context.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L793-L808】misc::wpPurpose. Remote-injects a call to SystemParametersInfoW in a chosen process to set the user’s wallpaper to the supplied path.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L864-L942】
/file:<path> — Required wallpaper bitmap path that is marshalled into the remote thread; supply it to control the new desktop background.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L868-L907】/process:<image> — Picks the host process (default explorer.exe), useful when the shell process is unavailable or another desktop broker should be used.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L870-L907】misc::mfltPurpose. Enumerates all minifilter and legacy file system filter drivers via the Filter Manager APIs, dumping altitude and instance counts for situational awareness.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L944-L1009】
Flags. None.
misc::easyntlmchallPurpose. Applies version-specific patches to msv1_0.dll inside the SamSs service to allow easy NTLM challenge generation on supported Windows builds only.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1012-L1036】
Flags. None (fails fast on unsupported OS versions).
misc::clipPurpose. Registers a hidden window on the clipboard viewer chain to monitor text clipboard updates and print contents when they change.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1039-L1207】
Flags. None.
misc::xorPurpose. Performs a byte-wise XOR transform on an input file and saves the result, handy for obfuscating blobs in tooling or reports.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1210-L1239】
/input:<path> — Points to the source data that will be XORed; required because the command must map the file into memory.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1217-L1234】/output:<path> — Destination file for the transformed bytes; specify when you need to preserve the original and store the obfuscated copy separately.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1219-L1234】/xor:<byte> — Overrides the default 0x42 XOR key, allowing you to match custom obfuscation schemes.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1212-L1228】misc::aadcookiePurpose. Instantiates the Proof-of-Possession Cookie manager COM object and lists Azure AD POP cookies for a given URI, including flags and headers.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1242-L1279】
/uri:<url> — Chooses the relying-party URI to query (defaults to the Azure AD login endpoint); change it when inspecting session material for a different resource.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1252-L1267】misc::ngcsignPurpose. Uses Windows Hello for Business/NGC crypto routines to compute a symmetric Proof-of-Possession signature for arbitrary data using a supplied key blob.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1282-L1339】
/keyvalue:<base64> — Mandatory URL-safe base64 payload that decodes to the symmetric POP key; without it, the signature cannot be derived.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1289-L1335】/label:<string> — Overrides the POP label (default AzureAD-SecureConversation) so you can emulate specific relying-party expectations.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1295-L1323】/context:<hex> — Supplies a hex-encoded context; if omitted, a random 24-byte context is generated, so provide it when protocol peers expect a fixed context value.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1297-L1306】/signedinfo:<text> — Defines the ASCII payload to sign (default mimikatz), letting you create signatures over arbitrary proofs or SOAP envelopes.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1299-L1316】misc::spoolerPurpose. Coerces a remote print spooler to authenticate to a UNC path by opening a change notification channel through the RPC winspool interface.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1342-L1436】
/authuser:<user> — Forces explicit credentials and switches RPC authentication to Negotiate, required when you must authenticate as another principal.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1353-L1370】/authpassword:<pwd> — Provides the password accompanying /authuser; needed for accounts that are not using SSO.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1361-L1365】/noauth — Sets the RPC binding to RPC_C_AUTHN_NONE, useful when anonymous coercion is desired or when credentials would fail.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1366-L1374】/endpoint:<pipe> — Overrides the named pipe endpoint (default \\pipe\\spoolss) when targeting custom bindings or alternate transports.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1376-L1379】/server:<host> or /target:<host> — Required to select the remote spooler host; without it the routine cannot establish an SMB session.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1379-L1390】/connect:<listener> or /callback:<listener> — UNC destination used in the printer change notification call so the target authenticates to your listener; mandatory for coercion payloads.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1389-L1415】misc::efsPurpose. Replays the PetitPotam-style EfsRpcOpenFileRaw invocation over lsarpc to elicit machine account authentication to a UNC share.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1478-L1568】
/authuser, /authpassword, /noauth — Same semantics as misc::spooler, selecting credential material for the RPC binding.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1484-L1508】/endpoint:<pipe> — Overrides the pipe name (default \\pipe\\lsarpc) when experimenting with alternate transports.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1510-L1513】/server:<host> or /target:<host> — Identifies the remote host to coerce; required to build the UNC used in the SMB connection attempt.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1513-L1536】/connect:<listener> or /callback:<listener> — UNC path that should receive the forced authentication; must be set to direct credentials to your trap server.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1516-L1566】misc::printnightmarePurpose. Automates driver upload primitives behind the PrintNightmare vulnerability through either MS-PAR (ncacn_ip_tcp) or MS-RPRN (ncalrpc) bindings, optionally installing or cleaning malicious drivers.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1600-L1889】
/server:<host> — Switches to the remote MS-PAR path, binding with Negotiate auth and targeting the specified server; omit it to use the local MS-RPRN channel.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1606-L1621】/x64 or /win64 — Forces the printer driver environment to Windows x64; use it when staging x64 payloads regardless of the build architecture.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1622-L1632】/x86 or /win32 — Forces the environment to Windows NT x86, enabling 32-bit driver deployment from a 64-bit host.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1632-L1639】/library:<path> — Points to the malicious DLL to upload; without it the command falls back to enumerating printers instead.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1661-L1672】/useown — Reuses the normalized library path instead of dynamic staging, handy when hosting the payload yourself and avoiding copy steps.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1663-L1673】/nodynamic — Skips querying printer driver directories dynamically; use it when RPC directory discovery is blocked or undesired.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1670-L1683】/clean — After enumeration, deletes drivers whose names start with mimikatz-, letting you clean up artefacts post-exploitation.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1688-L1851】misc::sccmPurpose. Connects to the SCCM database, retrieves encrypted account records, and decrypts them with the locally stored SMS RSA private key.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1974-L2107】
/keycontainer:<name> — Selects the CryptoAPI key container that holds the SMS private key (default Microsoft Systems Management Server); change it when SCCM was installed with a custom container name.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1998-L2006】/keyuser — Forces the command to look in the current user key store instead of the machine store; necessary when SCCM credentials are scoped to a user context.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L1999-L2006】/connectionstring:<odbc> — Required ODBC connection string to the SCCM database; without it no SQL session can be established.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L2003-L2104】misc::shadowcopiesPurpose. Walks the NT object manager device tree to enumerate HarddiskVolumeShadowCopy* volumes and prints canonical registry hive paths and timestamps for each shadow copy.【F:mimikatz/mimikatz/modules/kuhl_m_misc.c†L2109-L2188】
Flags. None.
misc::djoinPurpose. Decodes an offline domain join (ODJ) provisioning package from base64 and renders its internal structure for inspection.【F:mimikatz/mimikatz/modules/misc/kuhl_m_misc_djoin.c†L8-L30】
/input:<path> — Mandatory base64 ODJ package to parse; supply it to view domain join metadata and secrets.【F:mimikatz/mimikatz/modules/misc/kuhl_m_misc_djoin.c†L10-L30】misc::citrixPurpose. Finds Citrix SSO helper processes, extracts shared credentials from their memory-mapped files, and decrypts them for display.【F:mimikatz/mimikatz/modules/misc/kuhl_m_misc_citrix.c†L8-L141】
Flags. None.