<Tool> <subcommand> -h for help on any specific subcommand.
Tools by category
Kerb
Kerberos authentication — request TGTs and service tickets, change passwords, renew tickets, generate protocol keys, and inspect ticket files.
Smb2Client
SMB2 file operations — list, get, put, delete, watch, create directories and links, enumerate shares, sessions, open files, and snapshots.
Wmi
Windows Management Instrumentation — query objects, invoke methods, execute commands, enumerate namespaces/classes/properties/methods, backup and restore the repository.
Lsa
Local Security Authority — look up names and SIDs, enumerate accounts, get and set privileges and system access rights.
Sam
Security Accounts Manager — enumerate users, groups, and aliases from a remote SAM database.
Scm
Service Control Manager — query, create, start, stop, and delete services on a remote Windows system.
Epm
RPC Endpoint Mapper — list dynamic RPC endpoints registered with the endpoint mapper on a remote system.
CredCoerce
Credential coercion — send RPC calls that cause a target system to authenticate to an attacker-controlled listener.
Tools by name
| Command | Description |
|---|---|
| CredCoerce | Send RPC calls to coerce a system to authenticate to a remote system |
| Epm | Commands for interacting with the RPC endpoint mapper |
| Epm lsep | List the dynamic RPC endpoints registered with the endpoint mapper |
| Kerb | Commands for working with Kerberos authentication |
| Kerb asreq | Request a TGT from the KDC |
| Kerb changepw | Change an account password |
| Kerb getasinfo | Get server time and encryption types for a user account |
| Kerb renew | Renew a ticket |
| Kerb s2k | Generate a protocol key from a string such as a password |
| Kerb select | Select and display tickets from a file |
| Kerb setpw | Set the password of another account |
| Kerb tgsreq | Request a ticket from the KDC |
| Lsa | Commands for interacting with the LSA |
| Lsa addpriv | Add one or more privileges to an account |
| Lsa createaccount | Create an LSA policy account |
| Lsa enumaccounts | Enumerate accounts |
| Lsa enumprivaccounts | Enumerate accounts that have a specific privilege or user right |
| Lsa getprivs | Get the privileges assigned to an account |
| Lsa getrights | Get user rights and privileges granted to an account |
| Lsa getsysaccess | Get system access rights granted to an account |
| Lsa lookupname | Get the SID for one or more account names |
| Lsa lookupsid | Translate one or more SIDs to their account names |
| Lsa rmpriv | Remove one or more privileges from an account |
| Lsa setsysaccess | Set the system access rights granted to an account |
| Lsa whoami | Get the name and domain of the connected user |
| Sam | Commands for interacting with a remote Security Accounts Manager |
| Sam enumusers | Enumerate user accounts |
| Scm | Interact with the service control manager on a remote Windows system |
| Scm create | Create and optionally start a new service |
| Scm delete | Delete a service |
| Scm qtriggers | Query triggers configured to start or stop a service |
| Scm query | Query the status of services |
| Scm start | Start a service |
| Scm stop | Stop a service |
| Smb2Client | Perform operations on an SMB2 server |
| Smb2Client enumnics | Query the server for a list of network interfaces |
| Smb2Client enumopenfiles | List files open on the server |
| Smb2Client enumsessions | List active sessions on the server |
| Smb2Client enumshares | List shares on the server |
| Smb2Client enumsnapshots | List available snapshots for a file or directory |
| Smb2Client enumstreams | List data streams of a file or directory |
| Smb2Client get | Get the contents of a file |
| Smb2Client ls | List the contents of a directory |
| Smb2Client mkdir | Create a directory |
| Smb2Client mklink | Create a symbolic link |
| Smb2Client mount | Create a mount point or junction |
| Smb2Client put | Send a file to the server |
| Smb2Client rm | Delete a file |
| Smb2Client rmdir | Delete a directory |
| Smb2Client touch | Update timestamps or attributes of a file or directory |
| Smb2Client umount | Unmount a mount point |
| Smb2Client watch | Watch for modifications to a directory or subtree |
| Wmi | Commands for interacting with the Windows Management Instrumentation service |
| Wmi backup | Back up the WMI repository |
| Wmi delete | Delete a WMI object |
| Wmi exec | Execute a command on a remote system via WMI |
| Wmi get | Get an object with a WMI path |
| Wmi invoke | Invoke a method on a WMI class or object |
| Wmi lsclass | List the classes within a namespace |
| Wmi lsmethod | List the methods of a class or object |
| Wmi lsns | List the available namespaces within a namespace |
| Wmi lsprop | List the properties of a class or object |
| Wmi query | Execute a WMI query |
| Wmi restore | Restore the WMI repository |
Tools by task
| Task | Command |
|---|---|
| Credential coercion | |
| Coerce a system to authenticate to a remote target | CredCoerce |
| Enumeration | |
| Check whether a user name is valid | Kerb getasinfo, Kerb asreq |
| Enumerate policy accounts | Lsa enumaccounts |
| Enumerate the accounts in the SAM database | Sam enumusers |
| Enumerate the data streams of a file on an SMB server | Smb2Client enumstreams |
| Enumerate the network interfaces of an SMB server | Smb2Client enumnics |
| Enumerate the open files on an SMB server | Smb2Client enumopenfiles |
| Enumerate the privileges granted to an account | Lsa getprivs |
| Enumerate the rights and privileges granted to an account | Lsa getrights |
| Enumerate the sessions of users connected to an SMB server | Smb2Client enumsessions |
| Enumerate the shares of an SMB server | Smb2Client enumshares |
| Enumerate the system access rights granted to an account | Lsa getsysaccess |
| Enumerate the volume snapshots on an SMB server | Smb2Client enumsnapshots |
| Enumerate dynamic RPC endpoints | Epm lsep |
| Execute a WMI query | Wmi query |
| Get a WMI object | Wmi get |
| List WMI classes, methods, namespaces, or properties | Wmi lsclass, Wmi lsmethod, Wmi lsns, Wmi lsprop |
| Query the status of a service | Scm query |
| Query the triggers for a service | Scm qtriggers |
| Translate a SID to its account name | Lsa lookupsid |
| Translate an account name to its SID | Lsa lookupname |
| Kerberos | |
| Change a password | Kerb changepw |
| Convert between .ccache and .kirbi files | Kerb select |
| Generate a protocol key from a password | Kerb s2k |
| Get a Kerberoastable ticket hash | Kerb tgsreq |
| Renew a ticket | Kerb renew |
| Request a ticket for a service | Kerb tgsreq |
| Request a ticket-granting ticket | Kerb asreq |
| Set the password of another user account | Kerb setpw |
| Lateral movement | |
| Create a service | Scm create |
| Execute a command line on a remote system | Wmi exec |
| Invoke a method on a WMI object | Wmi invoke |
| Start a service | Scm start |
| SMB | |
| Create a directory on an SMB share | Smb2Client mkdir |
| Create a filesystem link on an SMB share | Smb2Client mklink |
| Create a mount point or junction on an SMB share | Smb2Client mount |
| Delete a directory on an SMB share | Smb2Client rmdir |
| Delete a file on an SMB share | Smb2Client rm |
| Get a file from an SMB server | Smb2Client get |
| List the contents of a directory on an SMB share | Smb2Client ls |
| Timestomp a file on an SMB share | Smb2Client touch |
| Upload a file to an SMB share | Smb2Client put |
| Watch a directory on an SMB server for changes | Smb2Client watch |
| WMI | |
| Back up the WMI MOF repository | Wmi backup |
| Delete a WMI object | Wmi delete |
| Restore the WMI MOF repository | Wmi restore |