Getting around Windows Defender cheaply and cheerfully: obfuscating Mimikatz

    image

    Hello. Today we will consider the option of running mimikatz on Windows 10. Mimikatz is a tool that implements the functionality of the Windows Credentials Editor and allows you to extract the authentication data of the user logged in to the system in the clear.

    During the pentest it is useful to have a thing that dumps user passwords, but now even the standard Windows Defender built into Windows is becoming a problem and can interfere with our grandiose plans.

    I note that this method is also suitable for other antivirus products (Virustotal BEFORE and AFTER also thinks so), which conduct a static analysis of binaries by signature.
    So, although this method is unlikely to help you against EDR solutions, it can easily bypass Windows Defender.

    Previously, you could get around it by changing the words in the file from mimikatz to mimidogz, deleting a couple of lines in the metadata and banners. Now it has become more difficult, but still possible.

    For the idea of ​​all this action, I express gratitude to the person with the nickname ippsec.

    In this article we will use:


    Copying mimikatz to the victim's computer, we are expected to see such an alert.

    image


    Next, we will carry out a series of manipulations so that Defender ceases to see the threat here.

    First of all, we will find and replace the words mimikatz. Replace mimikatz for example with thunt (you can replace it with anything), and MIMIKATZ with THUNT. It looks something like this.

    image

    Next, we will edit the file mimikatz \ mimikatz \ mimikatz.rc in Visual Studio (which after our replacement is now thunt.rc), replacing mimikatz and gentilkiwi with anything, we also will not forget to replace mimikatz.ico with any other icon. Click "rebuild solution" (or rebuild solution) and get our updated version of mimikatz. Copy the victims to the computer, ii ... alert. Let's find out what Defender works for. The easiest way is to copy a binary with a different size before the first operation of the antivirus.

    To start, copy half and copy to a Windows 10 machine.

    head –c 600000 mimikatz.exe > hunt.exe

    Defender is silent, not bad already. Experimenting, we find the first operation. It looked like this for me:

    head -c 900000 mimikatz.exe > hunt.exe – не сработал
    head -c 950000 mimikatz.exe > hunt.exe –  сработал 
    head -c 920000 mimikatz.exe > hunt.exe – не сработал
    head -c 930000 mimikatz.exe > hunt.exe – не сработал
    head -c 940000 mimikatz.exe > hunt.exe –  сработал 
    head -c 935000 mimikatz.exe > hunt.exe – не сработал
    head -c 937000 mimikatz.exe > hunt.exe –  сработал
    head -c 936000 mimikatz.exe > hunt.exe – не сработал
    head -c 936500 mimikatz.exe > hunt.exe –  сработал
    head -c 936400 mimikatz.exe > hunt.exe –  сработал
    head -c 936300 mimikatz.exe > hunt.exe –  сработал 
    head -c 936200 mimikatz.exe > hunt.exe – не сработал

    Let's open hunt.exe in the hex editor and see what Defender might work for. The eye caught hold of the KiwiAndRegistryTools string.

    image

    Let's play with a random caps - it became KiWIAnDReGiSTrYToOlS, save and copy. Silence, which means that we guessed right. Now we will find all occurrences of these lines in the code, replace and rebuild our project. To check, execute head -c 936300 mimikatz.exe> ​​hunt.exe. Last time Defender worked, now not. Moving on.

    image

    In such a tricky way, adding more and more lines to our hunt.exe, trigger words were discovered - wdigest.dll, isBase64InterceptOutput, isBase64InterceptInput, multirdp, logonPasswords, credman. Replacing them with a random caps, I made sure that Defender stopped swearing at them.
    But it couldn’t be that easy, Defender thought and worked for functions that are imported and case sensitive. These are functions that are called from the netapi32.dll library.

    • I_NetServerAuthenticate2
    • I_NetServerReqChallenge
    • I_NetServerTrustPasswordsGet

    If we take a look at netapi32.dll (C: \ windows \ system32 \ netapi32.dll), we will see that each function is assigned a number.

    image

    We change the function call from the form
    windows.netapi32.I_NetServerTrustPasswordsGet (args)
    to
    windows.netapi32 [62] (args)
    To do this, we need to replace mimikatz \ lib \ x64 \ netapi32.min.lib. Create a netapi32.def file and write the following lines there:

    LIBRARY netapi32.dll
    EXPORTS
      I_NetServerAuthenticate2 @ 59
      I_NetServerReqChallenge @ 65
      I_NetServerTrustPasswordsGet @ 62

    We save and execute the command (do not forget to make a backup of the original netapi32.min.lib just in case)

    lib /DEF:netapi32.def /OUT:netapi32.min.lib

    Once again, we will rebuild the project and copy what we got. Defender is silent. Run the resulting mimikatz with administrator rights.

    image

    Success. Thus, mimikatz is launched and Windows Defender did not work, which is what we were aiming for. Passwords, appearances and hashes are issued.

    Pitfalls

    Waiting:

    * Username : thunt
    * Domain : DESKTOP-JJRBJJA
    * Password : Xp3#2!^&qrizc

    Reality:

    * Username : thunt
    * Domain : DESKTOP-JJRBJJA
    * Password : (null)

    The situation in life is somewhat different from laboratory conditions. You may need to work with the registry to view the password. For example, enable or create a UseLogonCredential key (HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ WDigest). But there may be problems with this, as when rebooting, keys can be set back.

    It can be even worse if, if you run on one of the latest versions of Windows 10, instead of the password in plain-text you will see this:

    * Password : _TBAL_{68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9}

    It's all about TBAL, which is the successor to Automatic Restart Sign-On ( ARSO ). Now, when TBAL is requested, lsasrv checks if the account is local or MS account, and, based on this, uses msv1_0 or cloudAP to save everything necessary to resume a user session. Then the autologon mechanism is set to the hard-coded password _TBAL_ {68EDDCF5-0AEB-4C28-A770-AF5302ECA3C9}.

    Nevertheless, in the laboratory we received the user's password, and in a combat situation, at least we can get hashes.

    Also popular now: