search
LinkedInGitHub

Invoke-Mimikatz

circle-info

First thing we need to do when compromising a machine is dump credentials and tickets

triangle-exclamation

DO NOT TOUCH THE LSASS UNLESS YOU'RE DESPERATE.

JUST REQUIRING A HANDLE ON IT ALERTS ANY EDR

Search for credentials in credential vaults, browsers, LSA registry keys, the SAM hive.

hashtag
Dumping Creds From the LSASS

Invoke-Mimikatz -Command '"sekurlsa::ekeys"' 
SafetyKatz.exe "sekurlsa::ekeys" 
SharpKatz.exe --Command ekeys
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump
pypykatz.exe live lsa
impacket-secretsdump Admin:[email protected]

hashtag
OverPass-The-Hash

circle-check

PTH we target local accounts on the machine using their NTLM hash (Testing local Admin hashes against other machines).

OPTH request a ticket from the Domain Controller using the NTLM hash or AES key. This allows us to access Domain joined resources.

triangle-exclamation

Always use AES keys instead of RC4 keys (ntlm) to avoid flagging. It will get detected as an encryption downgrade

Over Pass the hash (OPTH) generates tokens from hashes or keys. Needs elevation.

The following start a PowerShell session with a logon type 9 (same as runas /netonly).

This means when you access local resources on the machine it'll still show as your original user (example whoami = student1). However when you access resources on other domain machines it will use the credentials in OPTH ticket.

Don't need elevation to just get the ticket

This needs elevation because you're spawning a new process.

hashtag
DCSync

Extracts credentials from the DC without code execution on it

Domain Admin / Special permissions are required.

PreviousPowerShell Remoting (WinRM)NextFile Transfers

Last updated