execute_assembly) cross-process code injection is performed and the CLR is loaded into a potentially non-.NET process, though this signal is present for the execution of any .NET code using this method.
sekurlsa::logonpasswordscommand will open up a read handle to LSASS, enumerate logon sessions present on the system, walk the default authentication packages for each logon session, and extract any reverseable password/credential material present. Sidenote: the
sekurlsa::ekeyscommand will enumerate ALL key types present for the Kerberos package.
sekurlsa::pthis used to over-pass-the-hash, Mimikatz first creates a new logon type 9 process with dummy credentials - this creates a new "sacrificial" logon session that doesn't interact with the current logon session. It then opens the LSASS process with the ability to write to process memory, and the supplied hash/key is then patched into the appropriate section for the associated logon session (in this case, the "sacrificial" logon session that was started). This causes the normal Kerberos authentication process to kick off as normal as if the user had normally logged on, turning the supplied hash into a fully-fledged TGT.
asktgtcommand is run (or Kekeo's equivalent), the raw Kerberos protocol is used to request a TGT, which is then applied to the current logon session if the
/pttflag is passed.
/ptt), the TGT for the current logon session will be overwritten. This behavior can be avoided (with administrative access) by using the
/createnetonlycommand to create a sacrificial process/logon session, then using
/ptt /ticket:X /luid:0xa..with the newly created process LUID. If using Cobalt Strike, using the make_token command with dummy credentials and then kerberos_ticket_use with the ticket retrieved by Rubeus will let you apply the new TGT in a way that a) doesn't need administrative rights and b) doesn't stomp on the current logon session TGT.
sekurlsa::ekeysmodule to return ALL Kerberos encryption keys (same with
lsadump::dcsync) which are better to use when trying to evade some detections.