Mimikatz
Last updated
after downloading:
Here is a general outline of the steps to run Mimikatz from memory and bypass Windows Defender using reflective DLL injection:
Compile Mimikatz as a reflective DLL using a tool like "Visual Studio". This will create a DLL file that can be loaded into a process's memory space.
Identify a legitimate process to inject the DLL into. This could be any process with the required permissions, such as "explorer.exe".
Use a tool like "Process Hacker" or "Process Explorer" to obtain the process ID (PID) of the process you want to inject the DLL into.
Use a tool like "Sysinternals Suite" to create a new process with the same privileges as the process you want to inject the DLL into. For example, you could use "PsExec" to create a new "cmd.exe" process with SYSTEM-level privileges: psexec -i -s cmd.exe
Allocate memory inside the new process's memory space using the "VirtualAllocEx" function: VirtualAllocEx(PID, NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)
Write the Mimikatz reflective DLL to the allocated memory using the "WriteProcessMemory" function: WriteProcessMemory(PID, base_address, dll_path, dll_size, NULL)
Use the Windows API function "CreateRemoteThread" to load the Mimikatz reflective DLL into the new process's memory space: CreateRemoteThread(PID, NULL, 0, (LPTHREAD_START_ROUTINE)load_library, base_address, 0, NULL)