Summary
Converts mimikatz.exe into shellcode with Donut, executes it in thespawnto process, and returns output
- Needs Admin: False
- Version: 1
- Author: @Ne0nd0g
Arguments
commandline
- Description: Mimikatz commandline arguments
- Required Value: True
- Default Value:
token::whoami coffee
spawnto
- Description: The child process that will be started to execute Mimikatz in
- Required Value: True
- Default Value: C:\Windows\System32\WerFault.exe
spawntoargs
- Description: Argument to create the
spawntoprocess with, if any - Required Value: False
- Default Value: None
verbose
- Description: Show verbose output from Donut
- Required Value: False
- Default Value: None
Usage
MITRE ATT&CK Mapping
S00002 MimikatzDetailed Summary
The most recent version of Mimikatz is downloaded when the Merlin container is created. Mimikatz is retrieved from https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip Thedonut command leverages Donut by @TheWover transforms an arbitrary PE
into position-independent shellcode.
The go-donut library specifically is used with Merlin to generate the shellcode.
Once the shellcode is generated, it is executed in the spawnto process using the process hollowing technique described
in the createprocess command documentation. The main difference between this command and the
donut command is that many of the arguments are reduced to only those needed to execute a PE.
Use the donut command if you want increased flexibility.