A Cobalt Strike beacon comes with its own bundled Mimikatz with a few differences:
- Each mimikatz command are executed in a separate process, so you cannot chain commands
- CS mimikatz uses a special syntax. Commands prefixed with
!are executed as SYSTEM, whereas commands prefixed with@impersonates the beacon’s thread token (which is useful for interacting with remote systems, say through dcsync).
Sample CS mimikatz command:
beacon> mimikatz !lsadump::samSee the beacon command list for actual mimikatz usage.