CodeX's Terminal Window
  • root@codex
  • 🐙Red Team
    • Red Team OPSEC
      • Initial Recon
      • Weaponization
      • Infrastructure
        • Example Red Team Infra
        • Cobalt Strike Redirectors
        • Using SSH Tunneling to secure C2 infra
      • Phishing
      • Internal Recon
      • Lateral Movement
      • Post-Exploitation
      • Exfiltration
      • Cleanup
    • Red Team TTPs
      • Active Directory
      • Persistence
      • Exfiltration
      • Phishing
      • Windows Bypasses
    • Red Team Dev
      • Extending Havoc C2
        • Third Party Agents
          • 1: Understanding the interface
          • 2: Writing the agent
          • 3: Writing the agent handler
          • 4: Testing the agent
      • Loader Dev
        • In Memory OPSEC
          • PE Structures
          • Memory Permissions and Allocation Types
          • In Memory Signatures
          • Thread Stack
          • Windows Events
          • Userland Hooks
          • AMSI & ETW
        • Evasion Adventures
        • Loader basics
        • Sleep masking
        • Mimikatz vs Windows Defender
        • Indirect syscalls
    • Cobalt Strike
      • Modifying the Sleep Mask Kit
      • Discord Beacon Notifications
      • Evading Hunt-Sleeping-Beacons
      • Beacon Object Files
    • Misc. Interesting Stuff
  • 🛡️Blue Team
    • Detecting Cobalt Strike
      • Sleep Mask Kit IOCs
      • Hunting Beacon in the heap
      • Decrypting C2 traffic with known key
  • 🚩CTF Solutions
    • Cyber Defenders Discovery Camp 2021
      • 👁️‍🗨️Lets Go Hunting
      • 🐧Linux Rules The World!
      • 📻Going active
      • 🗄️File it away
      • 😷Behind the mask
  • Box challenges
    • 📦Box Writeups
  • Me myself and I
    • root@codex #
Powered by GitBook
On this page
  • Previous methods of running Mimikatz on windows
  • The dropper
  1. Red Team
  2. Red Team Dev
  3. Loader Dev

Mimikatz vs Windows Defender

Ever wanted to drop Mimikatz to disk during an engagement? Probably not. Lets do it anyways!

PreviousSleep maskingNextIndirect syscalls

Last updated 3 years ago

Old Post - these techniques may/not be effective anymore at the time of reading this.

I've always wanted to get mimikatz to run on windows without getting flagged, but so far I have never been able to get a working Mimikatz binary past Windows 10 Defender. However, since I recently made that fancy new FUD shellcode loader, I thought i'd give it another shot.

Previous methods of running Mimikatz on windows

While I haven't been able to get a working Mimikatz.exe onto Windows 10 so far with Real Time Protection enabled, I have been able to perform mimikatz functionality using a few methods, such as:

Invoke-Mimikatz.ps1

powershell version worked for a while, especially when Invoke-Obfuscation was newly released and working very well. However, over time, it started getting caught at runtime and eventually caught on disk. Also, powershell logging would likely catch this, since unmanaged powershell is no longer as effective on it's own.

Reflectively loading mimikatz

I haven't actually tried this myself so far, due to the next method being my previously preferred method of mimikatz usage, but I have heard from friends over at that you can reflectively inject mimikatz and it will actually run, but then the powershell process will get flagged and killed shortly after. Still works though, but not so stealthy if there's anyone watching alerts over at the blue team...

In memory execution using an agent

This has so far been my most reliable method. Using an existing in memory agent such as Cobalt Strike's Beacon, or Metasploit's Meterpreter to execute mimikatz commands has almost always worked for me so far. Sometimes it has been caught after execution (but it still did execute), similarly to reflectively loading it. On most occasions, however, it works perfectly. This unfortunately requires an in memory agent to already be in place, so it's not as good for drive by attacks where I might just want to plug in a USB, dump creds and run. However, this shows that undetected in memory execution of beacon is still possible.

Edit: On second thought, this is less of a Beacon thing and more of an injection technique thing. Still good to know that beacon's mimikatz gets past WinDef.

The dropper

Ok, so my goal is to make a FUD mimikatz.exe file, that is not detected both at scantime and at runtime. My first attempt was to make use of a shellcode runner I recently made (not the python one, but with similar concepts and ported to C++/Go). I first needed a shellcode version of mimikatz. Now where could I find that...

Donuts!

So I threw it in my dropper and...No command line output. Lets see if it executed properly. One x64Dbg session later, I found the mimikatz shellcode in memory, meaning it did write the shellcode properly. I eventually determined the problem was that it was not running the code in the current thread, so I found a set of arguments to pass to the memory functions in the dropper that made it select the current thread to execute in, and we have mimikatz working!

Now, lets test it against AV!

Oh no, 4 detections. It seems like they are flagging it as Mimikatz, so they might have found the decryption key in the binary and used it to obtain the shellcode. Lets try staging the decryption key, or having it generated at runtime somehow...

Yay! 0 detections. Now lets try it on Windows with Cloud protection enabled...

It loaded fine, but once the mimikatz UI popped up, it got flagged and the process was killed. Maybe the mimikatz shellcode blob in memory is detected after all... Lets try modifying the mimikatz binary before passing it into donut. For AV evasion purposes, I will not be showing the changes made the the binary beforehand, but they are not major, and do not affect any functionality of the mimikatz binary itself.

I then converted the modified binary to shellcode like before, and threw it in the working mimikatz dropper code I had before.

Yay! it works!

I found this great tool called that takes .exes and other files and spits out a blob of shellcode. Great! More stolen code and a few minutes later...Poof! mimikatz shellcode!

🐙
Donut
This
Infosec Prep
Cobalt Strike FTW!