Mimikatz

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

Home · gentilkiwi/mimikatz WikiGitHub

(0x64 ∧ 0x6d) ∨ 0x69 ~ mimikatz: deep dive on lsadump::lsa /patch and /injectdim0x69

after downloading:

https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210810/mimikatz_trunk.zip

MimikatzPentester's Promiscuous Notebook

How to Bypass Anti-Virus to Run Mimikatz - Black Hills Information SecurityBlack Hills Information Security

Building a custom Mimikatz binary | S3cur3Th1sSh1t

Bypass AMSI by manual modification part II - Invoke-Mimikatz | S3cur3Th1sSh1t

Here is a general outline of the steps to run Mimikatz from memory and bypass Windows Defender using reflective DLL injection:

1. Compile Mimikatz as a reflective DLL using a tool like "Visual Studio". This will create a DLL file that can be loaded into a process's memory space.

2. Identify a legitimate process to inject the DLL into. This could be any process with the required permissions, such as "explorer.exe".

3. Use a tool like "Process Hacker" or "Process Explorer" to obtain the process ID (PID) of the process you want to inject the DLL into.

4. Use a tool like "Sysinternals Suite" to create a new process with the same privileges as the process you want to inject the DLL into. For example, you could use "PsExec" to create a new "cmd.exe" process with SYSTEM-level privileges: psexec -i -s cmd.exe

5. Allocate memory inside the new process's memory space using the "VirtualAllocEx" function: VirtualAllocEx(PID, NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)

6. Write the Mimikatz reflective DLL to the allocated memory using the "WriteProcessMemory" function: WriteProcessMemory(PID, base_address, dll_path, dll_size, NULL)

7. Use the Windows API function "CreateRemoteThread" to load the Mimikatz reflective DLL into the new process's memory space: CreateRemoteThread(PID, NULL, 0, (LPTHREAD_START_ROUTINE)load_library, base_address, 0, NULL)