Mimikatz

Beacon integrates mimikatz. Use mimikatz [pid] [arch] [module::command] <args> to inject into the specified process to run a mimikatz command. Use mimikatz (without [pid] and [arch] arguments) to spawn a temporary process to run a mimikatz command.

Some mimikatz commands must run as SYSTEM to work. Prefix a command with an exclamtion ( ! ) to force mimikatz to elevate to SYSTEM before it runs your command. For example, mimikatz !lsa::cache will recover salted password hashes cached by the system. Use mimikatz [pid] [arch] [!module::command] <args> or mimikatz [!module::command] <args> (without [pid] and [arch] arguments).

If you need to run a mimikatz command with Beacon’s current access token, you can prefix a command with a @ to force mimikatz to impersonate Beacon’s current access token. For example, mimikatz @lsadump::dcsync will run the dcsync command in mimikatz with Beacon’s current access token. Use mimikatz [pid] [arch] [@module::command] <args> or mimikatz [@module::command] <args> (without [pid] and [arch] arguments).

If you want to run multiple mimikatz commands in a single command, use the semicolon ( ; ) character to separate multiple mimikatz commands. The maximum length of the commands is 511 characters. For example, mimikatz crypto::capi ; crypto::certificates /systemstore:local_machine /store:my /export

 

Related Topics