This is a quick and dirty POC with no frills, no guard rails and almost no testing 😊.
It looks for things like “mimikatz” and “sekurlsa” in the executable and replaces it with a string like “mimifish” and “sekufish” but in the executable rather than the source code. Helpful if you don’t have the source code!
All this does is takes an EXE and turns it into a HEX string. It converts the string to search for and string to replace into HEX and then searches for it in the HEX representation of the file. Then replaces the value and converts it back to a file. In this POC, the FIND string size needs to be the same as the REPLACE string size.
This is what normal mimikatz looks like from Benjamin Delpy and Vincent le Toux.
And here is what it looks like after I replace some strings in the executable. Notice it didn’t find “sekurlsa” because I replaced it with “sekufish”. Also I’ve butchered the the ASCII art (I believe I once read that some AV’s look for the ascii art of mimikatz).
And when I run “sekufish” instead of “sekurlsa” it still runs like normal and I’m dumping credentials on my machine. Hooray I didn’t destroy the functionality.
Here is a quick virus total look of the binary before the string replacement.
After here is virus total after the string replacement. It made a difference!
I only spent an hour on changing a few of the strings so it is likely, with some effort, this might fare better in Virus Total. One thing to note, when I ran DITTO on the binary (and cloned notepad) it also dropped the detection rate further.
Here is the POC code for a console program. I hard coded the input and output files (sorry I’m super busy).
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE…
feel free to follow me on twitter