In this section I'm going to talk about Mimikatz and the AV cat & mouse game. When It came to gain some skills in penetration testing I started by evading the antivirus system of a clean Windows 10 Machine (Defender). If I remember the times of WinXP and Win7 the defender suit of Microsoft never fit my personal expectation and yes there were times when Microsoft really did do a bad job!
Nowadays I really found my peace with Microsoft products because the core tools of Windows10 are a pain in the a** of pentesters! I did try to find a way to use mimikatz and wanted to escalate privs and play with pass the hash but the DefenderSuit kicked me off every time.
So the idea behind was born. How to obfuscate and evade the AV in a standard environment. As far as I can say it took me quite a time to understand how a virus scanner is doing his job and I can tell everybody only Microsoft and the global players of AV companies do understand it completely. But I found a way around - and if I can do most of script kiddies will find a solution sooner or later.
The easy task is finding the patterns on which the AV says - NONO. Because I'm from Unix it came into my minds to use the command "strings" to see which strings are in the binary in ASCII. That was the key to success. But the outer world did already have the same Idea and mimidog & Co did find there way to AV database.
Just remember - If you want to get your software uncaught - never upload it to av scan website, they collect the patterns.
Long story short. After one week my modified mimi[animal] landed in the defenders database, and I had to start from beginning. After some research I found out that not only the string patterns are matched as harmful - there is much more the "defenders" do check!
Mimikatz does do a job and using some libraries to fulfill a successful penetration task. So why the hell should a AV prog just look for string patterns? The hard way on evading the AV is to understand that the way to pass the sandbox execution of the AV-Engine, and this is much more complicated.
All in sum there came two ideas to my mind which could work eventually (but for how long ?)
- Check if your software is executed in sandbox and drop some "dangerous" modules from loading while sandbox is executing the binary
- Change the way the "harmful" linked libraries get loaded and outsmart the sandbox
Point One was to complicated and I didn't want to rewrite the major code of mimikatz. But it turned out that Second Point did do the trick.
When I started to pentest a Windows environment i was searching for good sources of information, and I found out that there are no good sources! If somebody would tell me that it is so hard to find good information on AV-EVATION and BACKDOOR programming or PRIVESCALATION, I wouldn't even think of starting time investment on this topic.
- Google helps, but you are always one step behind (most exploits are fixed)
- Youtube helps, but you have to dig deep and you will find only IDEAS no solutions
- exploit.db is very helpful in understanding the vulnarebilities
- books do help you sharpen you skills but definitely don't give you any working code!
... but all in sum - It is a lonely way of reading code and understanding the attacking vectors behind a already fixed vuln.