Bypass “Mimikatz” using the Process Injection Technique
Mimikatz is an open-source application that enables users to see and store save authentication credentials like Kerberos tickets. Benjamin Delpy is still in charge of the development of Mimikatz, therefore the toolset is compatible with the most recent Windows version and contains the most recent assaults.
Endpoint security software and anti-virus systems often identify and destroy Mimikatz, which is widely used by attackers to steal passwords and escalate privileges. Mimikatz, on the other hand, is used by penetration testers and red teamers to find and exploit security holes in your network.
In this post, I’ll demonstrate how to bypass Mimi Katz using process injection. Most of the EDR’s/AV often identify mimikatz signatures and destroy it. There are many ways to bypass mimikatz from AV/EDR’s. When I compiled the mimikatz and try to execute on windows 10 latest version, it is caught by Windows Defender.
Mimikatz is an open source program almost all AV/EDR has signature. when I uploaded mimikatz on virus total almost 70% AV/EDR flagged it as malicious.
Bypassing Techniques
Here, I am going to explain a way to bypass mimikatz from Windows Defender. This technique is for red teamers as well as for blue team to mitigate the threat. I used different ways to bypass mimikatz from windows defender. Microsoft defender was catching mimikatz during the execution of command “ sekurlsa::logonpasswords”. I changed this command to “erasor::erasor” and this time I was able to bypass mimikatz from windows defender. This is really strange Microsoft Windows Defender was just catching mimikatz on this command, not on API calls.
Another way to bypass mimikatz is introduced by @mrd0x in which if you rename mimikatz.exe as DumpStack.log windows defender will not scan this file. This technique is only for static detection bypass but now it is not working because Microsoft has updated its intelligence. For dynamic bypass above mentioned technique is still working on windows defender.
Process Injection Technique
We’re going to create a binary that will inject shellcode into a remote process running on the target machine. Process Injection is a method often used by malware developers and attackers.
Before I explain this technique, I would like to thank @TheWover which created a donut. Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files, and dotNET assemblies.
When I first began learning about malware development and AV/EDR evasion, most papers and blogs advised using syscalls. An attacker may avoid detection restrictions (like user-land Hooking) by employing syscalls. Because AV/EDR systems can only monitor an application’s user-mode behaviour, evasion is feasible. Windows defender is really weak to detect shellcode in binary format (.bin).
STEPS:
- Firstly, I created position independent shellcode of mimikatz using donut tool mentioned above. To make shellcode into the binary format you just need to run the command ./donut mimkatz.exe -a 2. It will generate loader.bin file which is the position Independent Shellcode of mimikatz binary.
2. To inject the shellcode into the remote process, I created an Injector which is using syscalls in order to bypass AV/EDR’s which is mainly focused on Userland API hookings. Before implementing the use of syscalls, it is necessary to first identify the native/syscall equivalent of the Windows API used in the baseline code.
Native API
NtOpenProcess
NtAllocateVirtualMemory
NtWriteVirtualMemory
NtCreateThreadEx
NtClose
These are the API that I used in my binary to inject mimikatz shellcode into the remote process.
Manually implementing syscalls is difficult since the numbers vary across OS versions, service packs, and builds. It’s a good thing SysWhisper2 exists to undertake the tiresome job for us by keeping a lookup table of known syscall numbers for various Windows versions.
3. Finally, you need to inject the shellcode into the remote process. This will bypass windows defender static and dynamic detection.
Here is the video of the execution which I have tested before. you can create your custom Injector to inject mimikatz shellcode into the remote process and it will fully bypass MDE.
CONCLUSION
In this post, we learned how we can bypass mimikatz from windows defender. the best way we learned is to process injection. We injected mimikatz shellcode into the process to extract dumps. This post is for red teamers as well as a blue teams to mitigate threats.
RelatedLink:
