Last Updated: 2015-12-14 21:55:50 UTC
by Russ McRee (Version: 1)
Our own Mark Baggett (@markbaggett) recently reTweeted Sean Metcalf's (@PyroTek3) Tweet about his Active Directory Security post, an Unofficial Guide to Mimikatz & Command Reference.
This is a freaking gold mine, well done Sean!
Using Mimikatz as part of red/blue exercises and scenarios is near and dear to my heart, it's the attacker basis, along with PowerShell and Metasploit, of my May 2015 toolsmith, Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem. Sean describes Mimikatz and its use with such robust detail, even the uninitiated should be able to grasp the raw power of the tool (both dangerous and useful).
First and foremost, I'll quote one of Sean's most important points:
"This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other words, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”."
Further, Sean developed this reference after speaking with both hired defenders and attackers, and learned that outside of a couple of the top three most used Mimikatz commands, not many knew about the full capability of Mimikatz.
"This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required & optional), as well as screenshots and additional context (where possible)." Sean indicates there are several that he hasn't dug into fully yet, but expects to in the near future.
Put Unofficial Guide to Mimikatz & Command Reference on your immediate must read and bookmark list and find safe ways to explore its capabilities.
Again, if your one of those folks who spend time in both red and blue team actvities, it's an imperative that you understand Mimikatz from both perspectives.