😴
gatari
  • πŸ‘‹root@gatari
  • πŸ”«Active Directory (Boxes)
    • Access Walkthrough
  • πŸ”΄Red Team
    • What is Windows Defender?
    • Post-Exploitation on Disk
    • Command and Control (C2)
      • Signatured by Default
      • Bring Your Own Loader
    • Creating A C2 Framework
      • Prototyping
      • Interfaces
      • Endpoints & Listeners
  • 🚩CTF Writeups
    • 🀑GCTF 2022
      • πŸͺ„ret2secret
      • 🀑login
    • 🀑LNC 2023
      • πŸ‘½Alien Portal
    • 🀑Gryphons Mini-CTF 2023
      • πŸ‘¨β€πŸ’»Web
        • πŸ₯ΆChill
        • πŸͺ Leaked Login
        • πŸͺCookie Monster
        • ✈️Traveller
        • 🀯Headers
      • ☠️Pwn
        • 🐱Netcat
        • πŸ‘¨β€πŸ’»Login
        • πŸ‘©β€πŸ’»Login 2
        • πŸ§‘β€πŸ’»Login 3
      • βͺReverse
        • πŸ”«Valorant Aimbot
        • 🀣WannaLaugh
        • πŸͺšHacksaw
        • 🀫Secret
        • ❓Command & ...POST?
        • πŸ’€Bruh
      • 🧠Sanity Check
        • πŸ‡¨πŸ‡³ζ—©δΈŠε₯½δΈ­ε›½
        • πŸͺ‘Needle in a Haystack(s)
      • πŸ“€Crypto
        • 🀦Ascee? Asskey?
  • πŸ“˜Reviews
    • 😭CRTO - Certified Red Team Operator
Powered by GitBook
On this page
  • What happened?
  • Signatures
  • Packing?
  • Resources
  • If I can't drop to disk, how do I do post-exploitation?
  1. Red Team

Post-Exploitation on Disk

Dropping offensive tooling to disk isn't the greatest idea

PreviousWhat is Windows Defender?NextCommand and Control (C2)

Last updated 8 months ago

What happened?

The official Mimikatz binary is heavily signatured by Windows Defender, as a result as soon as it drops to disk, it is flagged and deleted.

Signatures

Signatures, or hashes, are unique identifiers of files or software. This string, or hash, acts like a digital footprint: even a small change in a file's content results in a completely different hash.

Here's how you can get the SHA256 hash of a file from Powershell:

And, chucking this hash into VirusTotal confirms that the hash is known:

Packing?

... even a small change in a file's content results in a completely different hash...

We can try to use UPX to pack the binary, and change the hash without modifying functionality.

UPX is an advanced executable file compressor. UPX will typically reduce the file size of programs and DLLs by around 50%-70%, thus reducing disk space, network load times, download times and other distribution and storage costs.

PS C:\Users\PC\Desktop\git\mimikatz_trunk\x64> .\upx.exe --best .\mimikatz.exe

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1355264 ->    558080   41.18%    win64/pe     mimikatz.exe

Packed 1 file.
PS C:\Users\PC\Desktop\git\mimikatz_trunk\x64> Get-FileHash .\mimikatz.exe

...18D89FC7BF90063A0203D70C40DFEB7CF03283B754050915B2F906DE15913954...

Seems like the file hash is different now, we can chuck it back to VirusTotal

There are less detections than before- but still gets detected by Windows Defender

Resources

Of course, there are many more things you can do to further obfuscate the mimikatz binary so that you can run it from disk. However, I won't be going into any more detail as I believe that you probably just shouldn't drop offensive tooling to disk.

  1. Recompiling mimikatz from source with bad strings replaced

    https://www.youtube.com/watch?v=9pwMCHlNma4

  2. Invoking mimikatz via Invoke-Mimikatz.ps1 and patching amsi.dll

    https://systemweakness.com/evade-windows-defender-mimikatz-detection-by-patching-the-amsi-dll-4bd9b3964c03

If I can't drop to disk, how do I do post-exploitation?

Instead of directly dropping your post-exploitation tools to disk, an alternative approach is to load your tools directly into memory. This can be achieved using toolkits provided by Command and Control (C2) frameworks, or building your own custom loader (but we're lazy).

πŸ”΄