AV Evasion - Mimikatz

Name: AV Evasion - Mimikatz
Uploaded: 2019-04-04T16:31:02Z
Channel: IppSec
Description: 00:58 - Installing FireEye Commando to help keep our development environments sync'd 04:30 - Using Git to download mimikatz, openifang with Visual Studi...

IppSec · Beginner ·📄 Research Papers Explained ·7y ago

00:58 - Installing FireEye Commando to help keep our development environments sync'd 04:30 - Using Git to download mimikatz, openifang with Visual Studio 2017 and installing dependencies 08:50 - Verifying that we can compile mimikatz before we make any changes. 11:15 - Creating an Antivirus Exception in Defender to ignore shared drive 12:30 - Remove String: mimikatz and then rename files with mimikatz in the name 13:45 - Remove String: all metadata by editing the RC File (accidentally wipe a quote) 15:00 - Replace Icon 16:00 - Test rebuilding after these changes. 18:00 - Using "head" to split …

Watch on YouTube ↗ (saves to browser)

Chapters (27)

0:58 Installing FireEye Commando to help keep our development environments sync'd

4:30 Using Git to download mimikatz, openifang with Visual Studio 2017 and installi

8:50 Verifying that we can compile mimikatz before we make any changes.

11:15 Creating an Antivirus Exception in Defender to ignore shared drive

12:30 Remove String: mimikatz and then rename files with mimikatz in the name

13:45 Remove String: all metadata by editing the RC File (accidentally wipe a quote)

15:00 Replace Icon

16:00 Test rebuilding after these changes.

18:00 Using "head" to split the binary in half to help identify where Defender is id

19:00 Tons of splitting.

21:20 Found a rough location of a bad string, opening in a hex editor to identify th

22:30 Appears to flag on KiwiAndRegistryTools, lets verify

24:10 Search and replace for "mimi" (whoops, should of done kiwi here!)

25:50 Remove String: KiwiAndRegistryTools

27:20 Decompressing the Defender Signature File, this should speed up finding bad st

30:30 Verifying KiwiAndRegistryTools is removed by testing it against Defender

32:00 From here on... Tons of repetitive stuff to find other strings.

42:45 wdigest.dll is a bad character, lets see if its in a DLL Import or Print State

43:50 Remove String: wdigest.dll

46:25 Remove String: isBase64InterceptOutput, isBase64InterceptInput

52:25 Remove String: multirdp

57:20 Wow. Just realized double clicking a program is a better way to test if an ex

59:50 Remove String: logonPasswords

1:06:00 Remove String: credman

1:11:30 Remove String: I_NetTrustPasswordsGet, this one is different due to being in t

1:15:30 Ordinal loading explained, kind of

1:16:45 Creating a new lib file to do ordinal loading of netapi32 functions. Create D

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →