This for educational purposes only. I write about what I learn about. I’ve only tested this on one of my lab machines(win 10 version 1803).
I was playing around with a copy that someone made of SubTee’s NetKatz.cs. I was just trying to change how the mimikatz.exe got loaded. Instead of pulling down the zip file (from the original code) I was base64 encoding mimikatz.exe and loading it to see if windows defender behaved any differently. Defender stopped it and deleted what it was supposed to. Then I tried Hex encoding the latest mimikatz.exe and Defender complained but it let the program run and it didn’t quarantine or delete anything. Here is my write up.
First, I converted the latest x64 mimikatz.exe to a hex string file. I found the code I needed on Stack Overflow here: https://stackoverflow.com/questions/11688199/c-sharp-bin-to-hex-and-hex-to-bin
Basically, it reads in the .EXE file at the first highlight (in yellow) and writes out the file in the second highlight (in yellow) in the image below.
Next, I pulled a copy someone made of SubTee’s NetKatz. I got a copy here: https://github.com/re4lity/subTee-gits-backups/blob/master/netkatz.cs
I removed where it was pulling from a zip file over the internet and inserted code to pull in the mimihex.txt file I created above. I set the value of the “unpacked” variable to my “byteArray” variable, so I didn’t have to change anything else in the code below it.
I copied the contents of the program.cs file to the c:\temp\mykatz4.cs file and compiled the code with my .cs filename (mykatz4.cs). The compile instructions are in the file.
It produces the .EXE
When I run the program, windows defender complains, and I see the “Virus and Threat protection” warning alert pop up. However, windows defender lets it run to the end anyway. My Lab machine doesn’t have credential guard, so I get the hash and password.
The funny thing is when click the defender alert this is what I see. It isn’t complaining about a file just the behavior.
I click the “remove all” button
What is weird is I don’t see that Windows defender deleted anything (like it did when I ran with base64). All of the files I created, the .exe, the hex file and .CS files are still all there.
When I run it again, Defender complains again but still, nothing is removed. I don’t see much in the event log.
Its like getting pulled over for speeding but only getting a warning. When I did this with base64, Windows defender stomped over things.
Feel free to follow me on Twitter https://twitter.com/_markmo_ or (@_markmo_)