Jump to content

For those who like Invoke-Mimikatz (Works with Win10)


Recommended Posts

Someone updated the PS version of the payload with the new and PS injecty way of use so it works with Windows 10 again.  I cannot tell if the original repo from PowershellMafia is updated but here it is updated in Empire.

https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Mimikatz.ps1

 

Tested and works.  Of course I turned Defender off.  You want it to work from Lazagne?  You will have to edit Lazagne's source for the part that has the old mimi and update it with the new ps file and compile.  Folks were complaining about not being able to dump creds in Win 10 with invoke-mimi*, well here is one that will work minus AV probably killing it.

 

Link to post
Share on other sites
  • 2 weeks later...

Doh, new Invoke-Mimikatz does not work anymore in newer updates of Win10.  MS implemented security fixes that break invoke-reflectivepeinjection.  So, mimikatz inside does work but the method Invoke uses to inject it does not.  That also breaks my injection techniques for Windows 10.

Doesn't matter as AV on Windows 10 will detect Invoke-Mimikatz.ps1 even if I heavily obfuscate the powershell with Invoke-Obfuscation.  Method on Win 10 will have to be a dropper after you kill the realtime AV.  Once done you could drop the original mimikatz.exe to the drive (sorry, only way on new Win10 right now) and run it to drop a log in its current directory with:

mimikatz log privilege::debug sekurlsa::logonpasswords exit

an it will drop a mimikatz,log to its current folder where you can pick it up and cleanup or in powershell after it is dropped you can run:

$results = .\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit

All the results will be in $results for you to send or save how every you like.

 

Link to post
Share on other sites

I hate going back the forth.  It is working again.  The link I posted above has not been updated yet, it is still waiting to be pushed.  The location to the unpushed version that works is here.

https://github.com/EmpireProject/Empire/blob/7a39a55f127b1aeb951b3d9d80c6dc64500cacb5/data/module_source/credentials/Invoke-Mimikatz.ps1

 

That one will definitely work.  I was confused when I went into the one I listed before and saw the date of the mimikatz.

 

Link to post
Share on other sites
  • 5 weeks later...
  • 3 weeks later...
  • 1 year later...

@PoSHMagiC0de

 

Compared to the rest, this script actually runs. Thank you, but I'm having a small problem. My issue is that I get a memory error and it exits. But at least its not a code error.  Can you tell me what I'm doing wrong?

 

Here is the error.

 

.#####.   mimikatz 2.1.1 (x64) built on Aug  3 2018 17:05:14 - lil!
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz(powershell) # exit
Bye!

Link to post
Share on other sites

Yeah, that version doesn't work anymore.  Here is the part where people will need to begin the hunt for their own for a working copy.  I no longer use Powershell version of mimikatz but have moved over to .NET solutions.  There is probably a working version out there but I do not have it.  I actually compiled me a .NET 4.0 version of SharpSploit's dll and use that reflectively for stuff in Powershell if I use Powershell or I create an app to ingest it.  So, I guess you can say I actually created my own Powershell version borrowing .NET versions of the libraries from SharpSploit.

Link to post
Share on other sites
11 hours ago, PoSHMagiC0de said:

Yeah, that version doesn't work anymore.  Here is the part where people will need to begin the hunt for their own for a working copy.  I no longer use Powershell version of mimikatz but have moved over to .NET solutions.  There is probably a working version out there but I do not have it.  I actually compiled me a .NET 4.0 version of SharpSploit's dll and use that reflectively for stuff in Powershell if I use Powershell or I create an app to ingest it.  So, I guess you can say I actually created my own Powershell version borrowing .NET versions of the libraries from SharpSploit.

@PoSHMagiC0de

 

Thank you for your response. I managed to get this powershell script working with this command  as administrator

Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::tspkg"'

I read that minidump still works instead of the lsa permission method. Now the only error i get is error 0x2 which is a file not found error because tspkg cant find the .dmp file. I cant find minidump in the script to see if the proper code is there to create the .dmp file or what path the .dmp file might be saving to, and I believe the minidump code might be in the encoded base64 string which I do not know how to decode. Is it possible for you to post a completely decoded version of invoke-mimikatz.ps1? I like the default powershell script because I do not want to install .net framework to run it. I really want to get this script working if thats possible to edit the save path of the .dmp file.

 

Here is the command to run invoke mimikats along with successful minidump and error 0x2 on tspkg https://pastebin.com/kFTsp2Zk

------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

 

Edited by eeeeeesy
spelling mistake
Link to post
Share on other sites

BC Security has forked the Powershell Empire project to their github, updated it and all its modules so their revived version of PSEmpire has a updated copy of the Mimikatz powershell script updated 11-25 of this year that works out the box.  Oh, you always have to be admin and UAC has to be bypassed for any version of mimikatz to work.

Link to post
Share on other sites
21 hours ago, PoSHMagiC0de said:

BC Security has forked the Powershell Empire project to their github, updated it and all its modules so their revived version of PSEmpire has a updated copy of the Mimikatz powershell script updated 11-25 of this year that works out the box.  Oh, you always have to be admin and UAC has to be bypassed for any version of mimikatz to work.

@PoSHMagiC0de

 

Ok so I got the BC security empire invoke-mimkatz 11-25th update just now and i still have the same error 0x2  which means .dmp file is not found even when running as administrator and bypassing uac. I've done a search on my entire c drive for lsass.dmp and cant find it because the .dmp file is never created. Can you please post a link directly to the invoke-mimikats.ps1 that I should try? Maybe I still have the wrong one.

 

Invoke-Mimikatz -Command '"log %TEMP%\mimikatz.log" "privilege::debug" "sekurlsa::minidump %TEMP%\lsass.dmp" "sekurlsa::tspkg"'


mimikatz log:
mimikatz(powershell) # log %TEMP%\mimikatz.log
Using 'C:\Users\user4\AppData\Local\Temp\mimikatz.log' for logfile : OK

mimikatz(powershell) # privilege::debug
Privilege '20' OK

mimikatz(powershell) # sekurlsa::minidump %TEMP%\lsass.dmp
Switch to MINIDUMP : 'C:\Users\user4\AppData\Local\Temp\lsass.dmp'

mimikatz(powershell) # sekurlsa::tspkg %TEMP%\lsass.dmp
Opening : 'C:\Users\user4\AppData\Local\Temp\lsass.dmp' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000002)

 

Edited by eeeeeesy
typo
Link to post
Share on other sites

If I intent on doing a proc dump of lsass, I usually use another program or script to do a minidump of lsass so well known malicious bins (like mimikatz) don't have to be loaded on the victim.  I copy that off and then use the non-powershell mimikatz to process or pypykatz or any of the other dump file processors out there.  If I am on the box, I have high privilege and I intent on using mimikatz, might as well just process the memory in place rather than leave artifacts writing to disk.

Link to post
Share on other sites
7 minutes ago, PoSHMagiC0de said:

If I intent on doing a proc dump of lsass, I usually use another program or script to do a minidump of lsass so well known malicious bins (like mimikatz) don't have to be loaded on the victim.  I copy that off and then use the non-powershell mimikatz to process or pypykatz or any of the other dump file processors out there.  If I am on the box, I have high privilege and I intent on using mimikatz, might as well just process the memory in place rather than leave artifacts writing to disk.

How can I do all that though? It might take a while to post all that on here, so can you come on irc.hak5.org #hak5 and help me when you have time please?

Link to post
Share on other sites
  • 8 months later...

Hey all

For anyone still searching for a solution, I found one!

I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

Time to obfuscate it...

Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later...

GL to all who also try it, it's totally possible.

Edited by kuyaya
Link to post
Share on other sites
  • 1 month later...
On 9/5/2020 at 7:49 AM, kuyaya said:

Hey all

For anyone still searching for a solution, I found one!

I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

Time to obfuscate it...

Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later...

GL to all who also try it, it's totally possible.

..and how did you obfuscate it enough to evade AV?

Link to post
Share on other sites
On 9/5/2020 at 7:49 AM, kuyaya said:

Hey all

For anyone still searching for a solution, I found one!

I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

Time to obfuscate it...

Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later...

GL to all who also try it, it's totally possible.

..and how did you obfuscate it enough to evade AV?

Link to post
Share on other sites

That's my little secret😉

If I upload it here, I'm sure some idiots will upload it to virustotal and then it'll get flagged soon.

There's a lot of information about obfuscating scripts out there, I'm sure you'll find your way :).

Link to post
Share on other sites
On 10/7/2020 at 3:37 AM, kuyaya said:

That's my little secret😉

If I upload it here, I'm sure some idiots will upload it to virustotal and then it'll get flagged soon.

There's a lot of information about obfuscating scripts out there, I'm sure you'll find your way :).

def. not going to ask you to upload and give-away as that defeats the purpose.

but can you point me in a direction for an obfuscation that works? I've tried stuff like HideMyPS, InvokeObfuscation but didn't work, as even Windows AV picked them up upon execution. 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...