# Mimikatz

Mimikatz was used to list all available provider credentials using sekurlsa::logonPasswords and perform Pass-The-Hash via sekurlsa::pth.

For this scenario, no significant changes were made to the original functionality of Mimikatz.

Source code and pre-built Mimikatz can be downloaded from: https://github.com/gentilkiwi/mimikatz/

To build the binary with the following instructions, you will need the following dependencies downloaded and installed:

• Microsoft Visual Studio
• Windows Driver Developer Kit (WinDDK)

From the mimikatz folder, run the following command:

"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe" mimikatz.sln /build release

The resulting executable will be found in the x64 folder created during the build process.

This executable should be renamed as m64.exe and should be copied to Resources/payloads/TwoFace.

• Unit42's TwoFace Webshell: Persistent Access Point for Lateral Movement
• Unit42's Striking Oil: A Closer Look at Adversary Infrastructure
• Unit42's Oilrig Playbook Viewer

While Mimikatz covers a wider range of techniques, the version used in the scenario displayed the following:

• (Step6) T1003.001 - OS Credential Dumping: LSASS Memory
• (Step8) T1550.002 - Use Alternate Authentication Material: Pass the Hash