{"id":3452,"date":"2024-05-14T13:37:19","date_gmt":"2024-05-14T11:37:19","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=3452"},"modified":"2024-09-13T15:37:51","modified_gmt":"2024-09-13T13:37:51","slug":"simple-anti-virus-bypass-with-mimikatz","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/simple-anti-virus-bypass-with-mimikatz\/","title":{"rendered":"Simple Anti-Virus Bypass with Mimikatz"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.22.2″ _module_preset=”default” custom_padding=”||||false|false” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2024\/05\/mimikatz-bypass-defender.png” alt=”Mimikatz modified to bypass Defender (AI image)” title_text=”mimikatz-bypass-defender” align=”center” _builder_version=”4.24.3″ _module_preset=”default” background_color=”RGBA(255,255,255,0)” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.24.3″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

This short article presents the update of the script created based on the excellent Black Hills<\/a> article: “naive” or configured to be lax Anti-Virus often relies on signatures, which can be easily circumvented like demonstrated in the initial article.<\/p>\n

During a recent internal pentest<\/a>, our auditor retested this technique on a recent version of Windows Defender configured too permissively and managed to bypass it to run their modified version of the offensive script.<\/p>\n

[\/et_pb_text][et_pb_text module_id=”tamper” _builder_version=”4.24.3″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The issue<\/h2>\n

The initial script was released in January 2017. When the pentester tried to run the modified PowerShell code from Invoke-Mimikatz, an error like this was returned:<\/p>\n

Exception calling \"GetMethod\" with \"1\" argument(s): \"Ambiguous match found.\"<\/pre>\n
 <\/p>\n
A quick search identified an easy fix to Invoke-Mimikatz: https:\/\/github.com\/mitre\/caldera\/issues\/38#issuecomment-396055260<\/a><\/p>\n
Furthermore, the initial Black Hills script replaces the strings detected by Defender with other fixed strings. The consultant therefore modified the script to generate a random sequence of characters each time the script was executed.<\/p>\n
[\/et_pb_text][et_pb_text module_id=”postprocess” _builder_version=”4.24.3″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
The script<\/h2>\n
The following script is a simple update of the original script in order to respond to the problems encountered by the pentester during his intrusion test.<\/p>\n