Invoke-Mimikatz Walkthrough
Today we are going to be looking at Invoke-Mimikatz which can be found here:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
For this lab we will be using a Domain Controller and also a Windows 10 machine that is part of the domain. Both have Windows Defender and Real Time Protection turned on. We will start as an administrator on the Windows 10 machine, this is not a privilege escalation walkthrough, just a quick showing of Invoke-Mimikatz.ps1.
As stated we will start off with administrator access on the Windows 10 machine. Also notice that this is a local administrator, not a domain administrator.
The first thing we can run is token::elevate:
Now that we have put mimikatz into memory we can start to look at some of the different commands. Lets start off with just Invoke-Mimikatz:
Now lets only look at the LSA dump, we will be utilizing 2 commands strung together for this, we will look at both LSA dump and also LSA dump patch. To do this we can run Invoke-Mimikatz -command ‘“lsadump::lsa” “lsadump::lsa /patch”’.
Notice when we do this both commands are ran, we can continue to string more commands together if we please. Next lets look at the vault. To do this we will be utilizing the vault::list, vault::cred and vault::cred /patch.
Notice above there is not anything in the vault that we can utilize. That is ok, we still have plenty of information from the other commands that we used to work with. Also thinking back at the last commands that we ran, we could do a token::elevate with each command if we so please, and string other commands with it.
Now that we have done a few commands and saw that we can string commands together lets utilize the information that we have above to do a pass the hash with invoke-mimikatz.
The command above will open a new PowerShell window, and we can see if we have successfully passed the hash by looking at the domain controller.
Awesome, we are now utilizing pass the hash and are an administrator on the Domain Controller, easy day. If you are confused about the domain name or computer name, we have found this information before with mimikatz and the commands we have already ran:
Notice the logon server is the computer name of the Domain Controller and the domain is the domain name.
Continuing on lets try and create a golden ticket:
Awesome it worked, but we were on the DC already, lets create one for the the Windows 10 machine and then see if we can login with the ticket that we created:
Awesome we were able to create another session with a golden ticket utilizing the Windows 10 Machine and the information that we found on the DC. We have now created persistence within the domain.
As shown throughout this article we can utilize Invoke-Mimikatz.ps1 the same way we can run mimikatz.exe, however with the ps1 we can put it into memory, thus helping with bypassing Defender and Real Time Monitoring.