About
The other day I was part of an engagement that required a post exploitation (already obtained administrative access to the system) of the target system and steal credentials. There are many posts online that have done this and I will be referencing them as we go. This is just a supplement to everything else out there.
Mimikatz is a tool that collects credentials, including cleartext passwords, Lan manager hashes, Kerberos tickets and a number of other items. This post is to leverage Mimikatz, but instead of downloading the binary to the targets disk and jeopardizing AntiVirus to trip, or other host based controls stopping us, we will download the script directly in memory and run it without ever touching disk.
Additionally, there are a few obfuscation techniques that can be used with simple Linux fu to help generate this "custom" version of Mimikatz to help bypass AV. Lastly, there is another technique to help obfuscate the actual powershell command that calls the download to run the exploit.
