AV Evasion - Mimikatz

00:58 - Installing FireEye Commando to help keep our development environments sync'd 04:30 - Using Git to download mimikatz, openifang with Visual Studio 2017 and installing dependencies 08:50 - Verifying that we can compile mimikatz before we make any changes. 11:15 - Creating an Antivirus Exception in Defender to ignore shared drive 12:30 - Remove String: mimikatz and then rename files with mimikatz in the name 13:45 - Remove String: all metadata by editing the RC File (accidentally wipe a quote) 15:00 - Replace Icon 16:00 - Test rebuilding after these changes. 18:00 - Using "head" to split the binary in half to help identify where Defender is identifying mimikatz 19:00 - Tons of splitting. 21:20 - Found a rough location of a bad string, opening in a hex editor to identify the string. 22:30 - Appears to flag on KiwiAndRegistryTools, lets verify 24:10 - Search and replace for "mimi" (whoops, should of done kiwi here!) 25:50 - Remove String: KiwiAndRegistryTools 27:20 - Decompressing the Defender Signature File, this should speed up finding bad strings but i still need to do more research here. 30:30 - Verifying KiwiAndRegistryTools is removed by testing it against Defender 32:00 - From here on... Tons of repetitive stuff to find other strings. 42:45 - wdigest.dll is a bad character, lets see if its in a DLL Import or Print Statement. 43:50 - Remove String: wdigest.dll 46:25 - Remove String: isBase64InterceptOutput, isBase64InterceptInput 52:25 - Remove String: multirdp 57:20 - Wow. Just realized double clicking a program is a better way to test if an executable is malicious. Lol. 59:50 - Remove String: logonPasswords 01:06:00 - Remove String: credman 01:11:30 - Remove String: I_NetTrustPasswordsGet, this one is different due to being in the IMPORT table. Use dumpbin /exports to show ordinal addresses 01:15:30 - Ordinal loading explained, kind of 01:16:45 - Creating a new lib file to do ordinal loading of netapi32 functions. Create DEF file, then use lib to comp