Beacon + Mimikatz

Cobalt Strike has a built-in version of Mimikatz that we can use to extract various credential types. However, there are some differences with how it behaves in Beacon compared to the console version. Each time you execute Mimikatz in Beacon, it does so in a new temporary process which is then destroyed. This means you can't run two "related" commands, such as:

mimikatz # token::elevate
mimikatz # lsadump::sam

\

The console version does allow you to chain multiple commands from the command line:

PS C:\Tools\mimikatz\x64> .\mimikatz.exe token::elevate lsadump::sam exit

\

But this is also not supported in Cobalt Strike. Instead, Beacon has its own command convention using the ! and @ symbols as "modifiers". The ! elevates to SYSTEM before running the command; and @ impersonates Beacon's thread token before running the command. This latter option is useful in cases where Mimikatz needs to interact with a remote system, such as with dcsync.

So in the example above, the correct Cobalt Strike syntax would be:

beacon> mimikatz !lsadump::sam