AV Evasion - Mimikatz


00:58 - Installing FireEye Commando to help keep our development environments sync'd
04:30 - Using Git to download mimikatz, opening with Visual Studio 2017 and installing dependencies
08:50 - Verifying that we can compile mimikatz before we make any changes.
11:15 - Creating an AV Exception in Defender to ignore shared drive
12:30 - Remove String: mimikatz and then rename files with mimikatz in the name
13:45 - Remove String: all metadata by editing the RC File (accidentally wipe a quote)
15:00 - Replace Icon
16:00 - Test rebuilding after these changes.
18:00 - Using "head" to split the binary in half to help identify where Defender is identifying mimikatz
19:00 - Tons of splitting.
21:20 - Found a rough location of a bad string, opening in a hex editor to identify the string.
22:30 - Appears to flag on KiwiAndRegistryTools, lets verify
24:10 - Search and replace for "mimi" (whoops, should of done kiwi here!)
25:50 - Remove String: KiwiAndRegistryTools
27:20 - Decompressing the Defender Signature File, this should speed up finding bad strings but i still need to do more research here.
30:30 - Verifying KiwiAndRegistryTools is removed by testing it against Defender
32:00 - From here on... Tons of repetitive stuff to find other strings.
42:45 - wdigest.dll is a bad character, lets see if its in a DLL Import or Print Statement.
43:50 - Remove String: wdigest.dll
46:25 - Remove String: isBase64InterceptOutput, isBase64InterceptInput
52:25 - Remove String: multirdp
57:20 - Wow. Just realized double clicking a program is a better way to test if an executable is malicious. Lol.
59:50 - Remove String: logonPasswords
01:06:00 - Remove String: credman
01:11:30 - Remove String: I_NetTrustPasswordsGet, this one is different due to being in the IMPORT table. Use dumpbin /exports to show ordinal addresses
01:15:30 - Ordinal loading explained, kind of
01:16:45 - Creating a new lib file to do ordinal loading of netapi32 functions. Create DEF file, then use lib to compile it.
01:19:40 - Whoops, string isn't here because its I_NetTrust, not I_NetPass. After this mistake, mimikatz is ran
01:22:20 - Running Ghidra to view import tables to see how the ordinal loading works.
01:27:00 - Lets just see what VirusTotal thinks of this binary.

AV Evasion - Mimikatz AV Evasion - Mimikatz Reviewed by Anonymous on April 04, 2019 Rating: 5